Stop Windows’ 10-minute reboot reminders

Stop Windows' 10-minute reboot reminders

By Brian Livingston

A raging controversy over whether Windows patches ever reboot a PC without permission has been solved. Reboots can happen when you’re not expecting it — but you can minimize the problem or eliminate it entirely.

This subject sparked a debate when reader Evan Katz wrote in to ask whether Microsoft patches had started rebooting Windows automatically, even when the Automatic Updates control panel is configured to notify the user of downloads instead of installing them without notice. His comments were printed in the paid version of our Dec. 15, 2005, newsletter.

I’ve found that there are several little-known cases in which a Microsoft patch can trigger a reboot when you’re not expecting it. No, my findings don’t support a conspiracy theory — Microsoft hasn’t deliberately changed its patches to make you lose your unsaved work in surprise reboots. The true answer lies within the secrets of Windows.

How patches can automatically reboot

In my research, I interviewed Mike Cook, a security support engineer in Microsoft’s Product Support Services (PSS) team. We turned up several reasons why a PC that requires a reboot might do so without warning:

1. Settings in the Automatic Updates control panel. The default for Automatic Updates is "Automatically download recommended updates for my computer and install them every day at 03:00," or whatever time is specified. If this option is selected, patches will be downloaded from the Microsoft site in the background and installed automatically at the specified time, after a 5-minute countdown is displayed. Re-installing Windows or some Windows components can silently reset Automatic Updates, making reboots happen without user intervention.

2. “Helpful” security add-ons. Some Microsoft programs can reset Automatic Updates to its most automatic option. The beta of Microsoft’s Windows OneCare Live security program, for example, notifies the user upon installation that this will be done, but this can easily be overlooked.

3. Windows Server Update Services (WSUS). Windows patches can be pushed to PCs on a network via WSUS, a server program from Microsoft. If so, a particular update can be assigned an installation deadline by an IT admin. “When an update is set to a deadline,” says Microsoft’s Cook, “it overrides any client configuration settings.” This can make a PC reboot even if an end user has Automatic Updates set to not automatically install patches. The PC would display a countdown, but if the user is away from the machine, the timer wouldn’t be seen before the reboot.

4. 10-minute reboot reminders. I believe this is the most common cause of reboots that aren’t expected. When you install Windows patches, and they require a reboot, you’re shown a dialog box asking whether you wish to “Restart Now” or “Restart Later.” (See Figure 1.) If you press the letter N, the reboot starts immediately. Pressing L closes the dialog box. But the default time for the dialog to re-appear is every 10 minutes.

Figure 1. Typing the letter N reboots Windows, even if you didn’t notice that the “Restart Now” dialog box was even on the screen.

“We had a lot of feedback on this during the beta” of Windows XP, says Cook. Microsoft’s developers decided that it was very important that a PC be rebooted after applying patches that require it, he indicates. So the decision was made to display a reminder every 10 minutes until the reboot was permitted by the user. And the dialog box was made “modal,” which means it grabs the keyboard focus and won’t go away until you press a key or close its window.

This may be the cause of a lot of “automatic” reboots. If you’re typing a document in, say, Microsoft Word, you could easily type the letter N without noticing that the dialog box had appeared. Whoops, there goes a reboot.

Despite the importance of reboots for certain patches, Cook is certain that Microsoft hasn’t changed the expected behavior. "If Automatic Updates is set to ‘Let me choose when to install,’ the machine should never reboot without an explicit user action," he says.

It can be very inconvenient if Windows reboots when you don’t expect it. Some applications will ask you to save your work, but others will lose work you may have spent a significant amount of time on. In either case, you have to kill some time while the reboot completes.

On the other hand, you don’t want to entirely forget to reboot after applying Windows patches. “It’s pretty important that the machine be rebooted, especially servers,” says Cook. “It could leave a machine in an unstable condition, being half-patched.” Applying a patch changes some files on disk, while others can’t be changed until the reboot occurs.

How to stop unexpected reboots

If you use Windows XP Pro, you can use a little-known setting to turn off the auto-reboot feature of Automatic Updates. This way, you can configure Automatic Updates to download and apply patches automatically at night, which is good for your security. But AU won’t reboot your PC. Instead, a reminder to reboot will be displayed. If you set AU to apply patches at 3:00 a.m., which is the default, you can reboot first thing in the next morning when you’re not in the middle of a project.

The best way to change this setting is using Windows XP Pro’s built-in Group Policy Editor (it doesn’t exist in XP Home):

Step 1. Click Start, Run, enter gpedit.msc, then click OK.

Step 2. In the window that opens, click the plus signs in the left pane to navigate to the following folder, then select that folder:

Computer Configuration  Administrative Template  Windows Components  Windows Update

Step 3. In the right pane, right-click No auto-restart for scheduled Automatic Updates installations, then click Properties. In the Properties dialog box that appears, select Enabled, then click OK and close the Group Policy Editor window. You’re done.

Microsoft provides information about this and several other options in Knowledge Base article 328010.

Use WSUS to stop 10-minute reminders

If your company uses Windows Server Update Services to distribute patches, you can take advantage of a little-known setting in the Windows Registry to prevent the 10-minute reminders. With WSUS installed, you can change the interval from 10 minutes to as long as 1440 minutes (24 hours).

I don’t recommend that you set the option to 24 hours, however. If someone dismisses a reminder, and then forgets to reboot before leaving the PC for the night, another reminder could pop up exactly when they’re working hard the next day. The problem of accidental "Restart Now" commands would be as bad as before.

Instead, I recommend that you set the Registry to remind you every 12 hours (720 minutes). This way, if a reminder is dismissed, the next dialog box will pop up when no one is likely to be working at the PC. (Anyone who types for 12 hours without a break has bigger problems than unexpected reboots.)

If WSUS is installed, the reboot-reminder time is specified in the following Registry subkey:

HKEY_LOCAL_MACHINE  Software  Policies  Microsoft  Windows  WindowsUpdate  AU

The key that controls the delay is RebootRelaunchTimeout. Set this to 720 for 12 hours, or whatever interval you wish.

Microsoft has documented this and several other Automatic Update configuration settings for non-Active Directory environments in a TechNet article. That article mentions that your RebootRelaunchTimeout setting will be ignored if you set RebootRelaunchTimeoutEnabled to 0.

For a description of how to use Group Policy Objects in an Active Directory environment to set the interval, see Microsoft’s article on AU by Group Policy.

Whew. All this work just to make sure that a reboot won’t take place without your active participation! It’s complicated, but I’ve tried in this article to give you the basic facts you need and links to more.

To send us more information about the reboot-reminder problem, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Has Microsoft's patching earned your trust?

With the patch issues that arose last week, and folks asking if Microsoft tests patches before releasing them, it reminds us that Redmond still has a long way to go in the trust department. But Redmond wasn’t the only one with vulnerability and software issues this time around. Apple has joined in the browser vulnerability battle with its Safari browser this week. Sophos didn’t help much with its software giving off false positives. It’s been more of a battle to clean up after our security tools than it was to deal with patching issues this month.

MS06-007 (913446)
The patch that didn’t patch

If you remember my Feb. 16 column, MS06-007 (913446) had issues with installing on some systems. On Patch Tuesday, you had to manually install it if you wanted that patch on your system. By Wednesday, however, the patch engine had been repaired — as reported by the MSRC Blog — and was working as it should.

For many folks, this reminded them of previous issues they had with patches and brought up questions regarding patch testing. It’s valid to raise this issue, but as a veteran patcher, I can say that the quality of Microsoft patches has improved in the last several years.

KB 912945
Don’t install the IE ‘nonsecurity’ patch

I’m signed up for the Microsoft security advisory notifications. So when advisory 912945 came into my mailbox at the end of February, I was scratching my head. I couldn’t figure out why Microsoft is describing this as a nonsecurity patch, even though MS says it replaces a previous security patch (MS05-054) and it will eventually be replaced by yet another security patch in the future.

That’s what the gist of 912945 is all about, if you merely read the advisory. But, in reality, this is a patent fight in sheep’s clothing. Microsoft has issued this patch in response to the so-called Eolas lawsuit brought against it.

You may remember the earlier “patent fight” service packs. One was released on Sept. 27 as Office 2003 SP2 and the other on Oct. 18 as an update for Access 2002. These patches, among other things, remove Access’s ability to write to data in a table that’s linked to an Excel spreadsheet, due to a case known as Amado v. Microsoft. I commented on this in my blog on Jan. 25.

The Feb. 28 “nonsecurity” patch interferes with IE’s ability to activate “active content” automatically. The user will have to click a location in the browser window to activate the video or whatever content is affected. This will affect numerous sites, although Microsoft’s advisory links to possible workarounds.

My bottom line is this: You should pass on installing this patch. In Microsoft Update, it’s found down in the middle, “optional” section of patches. It’s in between a patch for the Internet Explorer 7 beta regarding issues with Outlook and Outlook Express (904942) and a fix for Australian daylight saving time issues (912475). When 912945 is integrated into a future security bulletin, it may be impossible to avoid. Until then, you can and should avoid it, in case any of your users depend on IE’s existing behavior.

If you remember my criteria for updates, the patches in Microsoft’s upper, “high priority” section should always be installed (unless there’s a known issue); “optional” patches are only installed if I deem them necessary; and I don’t install drivers from Microsoft Update.

Thus, you should skip KB 912945. Alan Jones has some additional comments about the changes the patch introduces into IE in his Feb. 28 blog entry. As Jones writes, “Eolas won the lawsuit against Microsoft, not against you. Microsoft has to release this update, but you don’t have to install it. Don’t.”

Junk filter violates trust, favors Outlook

Patching your computer means you’re trusting the vendor to return your system to a working condition. When a patch doesn’t do so, it breaks people’s “trust of patching.”

For example, the downloadable Outlook Junk E-Mail Filter, which is regularly updated by Microsoft, now resets Windows’ default e-mail client to itself. Installing the filter update does the equivalent of a “detect and repair” that resets the default mail client to Outlook. If the end user prefers a different e-mail client, even Microsoft’s own Outlook Express, he or she must reset the preference each month. That violates people’s trust in patches.

Workarounds to fix this, one involving a Registry change and two others that work via dialog boxes, have been published by OEHelp.com (see tip 13).

Some say this flaw in the junk filter is not a security issue. They say it therefore isn’t a high priority for Microsoft to fix, as compared to, say, a security issue in Word.

In my book, however, it is a high priority to correct. Why? Because upgrading the filter breaks your confidence that your machine will be returned to you in the same good condition as before you used Microsoft Update.

Not just the junk filter, but any patch that affects Outlook misbehaves in the same way. Nowhere in the Knowledge Base articles for the filter — such as KB 911961 — nor in the EULA (end-user license agreement) included in the download does it disclose that it will reset the default e-mail preference in your system. I hope Office 2007 will be more worthy of our trust.

Microsoft Money EULA raises concerns

Buried in every end-user license agreement is usually some language that has you wondering if you should go out and hire an attorney.

On a listserve I was following recently, a user of Microsoft Money was wondering just what he’d approved when he clicked the “I Accept” button. Money’s 2006 EULA is similar to the one I found online for 2005. The second sentence of each states: “Microsoft may from time to time without notice, automatically download and install onto your computer updates for Microsoft Money, including updates necessary for you to continue to use the Internet-Based Services.”

While I still firmly believe, based on my own investigations, that a Microsoft security patch never installs without your permission, as has been alleged at EmailBattles.com, this wording was enough for this user to stop and ask if he trusted Microsoft to download things to his computer without notice.

MS06-009 (901190)
Proofing problem doesn’t just affect Koreans

In my Feb. 16 column, I left everyone with the impression that security bulletin MS06-009 (901190) was only of interest to those who had a Korean toolbar installed. But buried deep within the bulletin was text stating that customers with any version of Office 2003 proofing tools installed would need to install an update. This is regardless of whether or not they’d specifically installed the Korean proofing tools.

You should therefore review your systems for Office 2003 proofing tools. If they’re installed, you need to ensure that Microsoft’s patch is installed on those systems.

Flaws take a bite out of Apple

For corporate Apple users, it was a tough week. First, Sophos accidentially flagged Office 2004 as a virus, making the suite unusable, as reported on Incidents.org. Then a serious flaw was discovered in Apple’s Safari browser in OS X. The vulnerability can be exploited with no user action required.

Apple released a patch on Mar. 1 that corrects the OS X problem, as described in an advisory by Secunia. To see whether your Apple OS X systems are vulnerable, visit Secunia’s test page.

Do you reboot your computer?

A hot topic recently on the PatchManagement.org listserve was the issue of daily rebooting. This was also discussed at The AIMS Group.

Many of Microsoft’s patches, but not all, require rebooting. Central management of desktops is easier for administrators if machines are left turned on. In many offices, the habit is to turn the machines off when not is use. But these days, with antivirus and antispyware programs requiring frequent updates, leaving a computer turned on may protect you better than turning the machine off.

ISA 2004 SP2 won’t let you fly Delta

I tend to wait a bit before installing service packs. I thus was not affected by the reported issue that installing ISA 2004 SP2 prevents the Web site of Delta.com from working.

This is apparently a problem with the way ISA handles pages on the Delta site. But there may be other sites out there that have issues with the ISA service pack, too. As of now, I’ve seen unconfirmed reports of issues downloading iTunes and even with updates to Microsoft’s Windows Defender.

If you’ve installed the service pack, you can uninstall it to correct the problem. Alternately, you can adjust the compression settings in ISA. It’s recommended that you also disable the cache settings before installing this service pack as it updates how ISA handles BITS. (For information on doing this, see the ISAserver.org discussion thread.)

If you see the issue affecting sites other than Delta.com, I recommend that you call Microsoft’s Product Support Services and report it. Issues with patches qualify for a free call to 1-866-pcsafety from the U.S. and Canada. (Other numbers are available for other countries.)

Over half of the respondents to a poll by Incidents.org didn’t know the U.S. and Canada had such a number. In addition to earning our trust of its patches, Microsoft needs to educate us on the resources that are available to support reporting patch problems.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title awarded by Microsoft to independent experts who do not work for the company. She’s known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003 and is a partner in a CPA firm.

My list of must-have Windows utilities

I’ve seen (and reviewed) enough Windows XP utilities to bust a billion bottomless bit buckets. The world’s full of ’em. But when a good friend recently asked, “What utilities do you really use, Woody?”, I had to stop for a while and think. You see, truth be told, I keep very few utilities on my main machine. Too much headache. Too little benefit. Hard to keep them all straight.

The basics: utility minimalism

Of course, I run an antivirus program, a couple of antispyware programs, and a third-party firewall. I spend a whole lotta time inside Firefox. Then there’s a replacement for Windows Media Player to feed my iPod, a peer-to-peer file sharing program, a desktop search engine, and the stuff everyone accumulates whether they need it or not — QuickTime, Adobe Reader, the Java Runtime Environment, Flash. I also swear by IrfanView graphic viewer/editor.

But those are all big programs. They require a substantial investment in time and little gray cells. What about the specific-purpose tools — the real utilities — that solve a common problem, and solve it well? That’s where things get fun.

A few cool utilities everyone needs

In previous editions of the Windows Secrets Newsletter, I talked about TweakUI and the Image Resizer PowerToy. They’re indispensable, they’re from Microsoft, and they should’ve been included in Windows.

Here are the other utilities I always keep at hand. They’ve proven themselves useful so many times that I always install them immediately on a new machine:

• Clipboard Recorder replaces Windows’ wimpy clipboard with an industrial-strength 99-item cupboard. Hit Ctrl+Alt+V and paste any of the last 99 copied items. You can even use Clipboard Recorder to transfer items from one computer to another. Fast and tiny.

• AI Roboform memorizes passwords and fills out online forms. Super secure. Super easy.

• ProduKey helps you if you ever lose your product key — that 25-character monstrosity that was printed on the yellow sticker on your Windows (or Office) CD case. You never know when you might need it. In Windows XP Timesaving Techniques For Dummies, I recommend a product called Magical Jelly Bean Keyfinder. Unfortunately, I’ve had trouble recently with the Bean when using Office XP and 2003 together in a mixed environment. Not sure what happened. But ProduKey works like a champ, retrieving product keys for Windows XP, Windows 2000, Office 2003, and Office XP.

• Picasa 2, from Google, helps you organize, annotate, edit, email, burn, print or post your pictures. At last, help for the most daunting task on almost every home computer.

Some special utilities for special problems

I also put these utilities on my main machine, and recommend them for my computer-savvy friends:

• Snadboy Revelation is hard to believe, but this nifty tool “sees” passwords and other hidden, asterisked-out text in many applications. It doesn’t work with Web pages, and it occasionally balks inside some Windows programs. But when it works, it’s like having X-ray vision. It’s the only way I know to retrieve e-mail account passwords in Outlook.

• Process Explorer is a technical utility. If you’re the kind of person who never looks at Windows’ Task Manager (press Ctrl+Alt+Del, then select Task Manager), you can pass this one by. But if you ever wonder how your system’s running — or which program has what file open — you can’t beat this dig-down-deep utility.

• Do you still use Notepad? If so, check out EditPad Lite. You can edit multiple files, each in its own window, with infinite undo and an interface that doesn’t get in the way.

The common thread in the best utilities

That’s it. Small, simple, high-impact utilities. No fluff.

Oh. I forgot to warn you.

Every utility I mention in this column is free. Absolutely free for personal use, no strings attached.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Exploiting the discovery of exploits

What’s the exploit you’ve found worth? Have you ever stumbled across a security problem in a major software vendor’s product? You weren’t just going to tell them for free, were you?

The vulnerability information market heats up

Over the years, there’s been a seismic shift in how security vulnerability information has been shared. This is going to have a big impact on you in the months and years to come. In this column, I’ll use the word “vulnerability” to mean the flaw itself. The term “exploit” (as a noun) means a piece of code designed to trigger the vulnerability for some gain. For purposes of this discussion, you can consider them both to be variations on the same theme: there’s a way to hack in.

In the dark ages, vendors would largely ignore, downplay or hide their vulnerabilities. Some still do. Or they would “slipstream” the fix. This means they’d include the fix in some standard update, not bothering to mention that there was a security fix and that you really should install the patch.

This often led system administrators to think of patches as something to look for only when they were experiencing a problem, such as a feature that wasn’t working correctly. I’ll bet it’s been some time since you thought of patches as much more than a way to keep the security problems at bay.

Then came the golden age. Clever vulnerability researchers would impress each other by posting their finds to Bugtraq to demonstrate their prowess. Many vendors were made fun of and new exploitation techniques were developed. Researchers perfected the art of buffer overflow exploitation, heap games, format string fun, cookie cracking, and SQL injecting. And of course, while many were freely sharing largely for recognition, there was an acknowledgement that often there was a private stash, kept in reserve for special occasions.

The silver age followed the dot-com boom, with security companies springing to life. All the cool companies had vulnerability research teams and the exploits-for-fame game became your company’s free publicity.

Why not buy the scanning tool from the guys who found the original flaw? Wouldn’t you rather have a penetration test done by the No. 1 bug hunter?

I myself was employed by SecurityFocus during this time. We didn’t have the typical vulnerability research team, but we kept one of the earliest vulnerability databases, where such efforts were cataloged.

The suspicious among us were already pointing out that there seemed to be an awful lot of commercial taint to the vulnerability disclosure during the silver age. But the information was still being made public. Although, there may have been a little delay here and there, and maybe paying customers got first crack.

Traders offer exploits for sale

What comes after the silver age? I think in this case, we’ve skipped the bronze age, and have gone straight to plain old “business.”

Even going back to the tail end of the golden age, there were always hints of exploits for sale. All of the commercial vulnerability scanner programs included at least a couple of “private” exploits in their arsenal. Penetration testers have always generally acknowledged keeping one or two personal tricks secret to show off with and dazzle their customers. And even bug bounties, like those that Netscape used to offer back in the day, were a form of exploit buying.

But the current trend is a whole different animal. I’ve been watching this for some time, but the catalyst that lead to me covering this topic in this issue is an interesting offer from iDefense.

I think of iDefense as being the company that really started the open market for exploit sales. A few years ago, they took the rather controversial step of offering cash for vulnerability information. You would agree to share the info just with them, and in exchange you could end up with $100, $250, or even $500 if the exploit was a juicy one!

Some people, myself included, thought this looked like a bit of a joke. The bounty was often mocked, and a standard put-down for an unsexy vulnerability included a variation of, “Go sell it to iDefense.”

Well, few of us are laughing now. I’m sure not. Last year, iDefense was acquired for $40 million by Verisign. But today’s news is that iDefense is offering to pay a whopping $10,000 for each Microsoft vulnerability you find that results in a critical security bulletin.

Just to emphasize a point, that’s $10,000 for each one. If five different ones are submitted, they’ll pay out $50,000.

Bringing exploits into the aboveground economy

Now, I made a little bit of a leap here in terms of the money trail. If you’re interested in a few more of the intermediate steps, I encourage you to check out a blog entry from Brian Krebs of the Washington Post. In his report, he covers a lot of the most recent events that I’ve been watching, including the $4,000 that was purportedly paid for the WMF flaw. Krebs also describes other companies that will buy your exploits and other ways you can generally make money selling exploits.

I’m going to skip some of those details here. I want to get to the impact on you, the people who’ll have to deal with the patches and malware that will flow from these efforts.

First, do you see the rather steep upward trend in price? My extremely rough, back-of-the-envelope estimate is that two years ago, a good remote Windows hole would sell for around $1,000. As of about a week ago, iDefense’s offer appears to be $10,000. And, frankly, I think $25,000 isn’t all that unlikely from certain buyers.

I don’t just mean the underground spammer or spyware-installer type. I believe you could get that much from a well-known company.

That kind of money isn’t in play without changing the landscape. That’s even enough to interest your typical California coder, let alone some clever hacker from another country that has a much lower cost of living.

Does this make your life better, worse, or the same in terms of the fallout? I’m assuming that the majority of you who’re reading this column didn’t just decide to go into the exploit business. Instead, you’re wondering what this means in terms of the patches you’ll have to make to protect against malware.

I suspect — or perhaps more accurately, I hope — that this will be an improvement. Let me explain why.

Microsoft wants as many of these critical issues found and fixed as possible. Strangely enough (at least so far), when iDefense pays $10,000 for a bug, they still turn around and give it to Microsoft for free. They then expect Microsoft to fix it.

Further, iDefense plays the game Microsoft’s way. They won’t publish the flaw until Microsoft has the fix ready. Some of you might prefer they wait a little longer after Patch Tuesday to release the details. But I contend — as I explained in my Oct. 13, 2005, column — that when the patch is out, the cat is out of the bag anyway.

In short, iDefense is taking vulnerabilities off the private underground market and eventually handing you a patch for free. Think about it from the exploit author’s point of view. Share with my buddies, or make $10,000? Sell to some spyware scum in a deal with very dubious legality, or get some cash and some public acknowledgement?

It may seem a little scary that someone is asking for more things to patch, but I think it’s going to help in the long run.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

More flaws emerge in Internet Explorer

In this column, I once again tackle security in Microsoft’s Internet Explorer browser. It never ceases to amaze me how Microsoft praises the security of its flagship browser, while at the same time ignoring obvious flaws that go unpatched.

Flash and JScript can cause crash

An advisory on the SecurityFocus site discusses a flaw in Internet Explorer 6.0 that can cause the browser to crash if specially designed JScript code is inserted into a Flash animated object. By itself, this vulnerability cannot cause infected files to be installed on your computer.

The security researcher who discovered this vulnerability included a proof of concept exploit — which I tested myself on an Windows XP SP2 computer with a fully patched version of IE — and it does cause IE to crash pretty quickly.

At the time of this writing, there is no word of a patch from Microsoft.

What to Do: The most obvious answer to that question is to switch to an alternate browser, such as Firefox, that isn’t vulnerable to this problem. If that’s not an option, you could uninstall Flash from your computer so it can’t be used in Internet Explorer. This will disable all Flash capabilities on Web sites that use Flash, so it might make browsing some Web sites more difficult.

Script engine flaw can cause IE failure

The same security researcher who discovered the first vulnerability listed in this column, has also discovered a buffer overflow vulnerability in both the VBScript and JScript scripting engines of Internet Explorer. Successfully exploiting this flaw will cause IE to crash, just like the first flaw described in this column.

At this writing, the possibility of using this vulnerability to run infected programs has not been tested. At least one researcher believes that using this flaw to spread viruses/Trojans by itself would be difficult at best. A proof-of-concept exploit is also included with his advisory.

What to do: My recommendation is the same for this flaw as the last: switch to Firefox. You can take steps to disable scripting in IE, but since the Web seems to be dependent on scripting technology to provide features of all kinds these days, surfing the Web might not be worth it with those scripting engines disabled.

Unpatched vulnerability in IE 7 Beta 2

SecurityFocus has also posted information about a third unpatched vulnerability in IE, but this time it’s in IE 7 beta 2. I was surprised when I found this advisory, considering that I hadn’t heard anything about it. I’d think something like this would’ve generated some news, but maybe I just missed it. Of course, IE 7 is still in beta and it’s possible that security reporters cut Microsoft a little slack.

I can see where some writers might let this slide, just because IE 7 is in beta and not a final product. However, considering the fact that Microsoft is so adamantly encouraging computer users to download and install the next version of the IE browser — which plenty of them have taken the liberty to do on their work computers — I feel someone should at least bring it up. I couldn’t really find any more articles about this anywhere else.

This particular vulnerability is of the denial-of-service type; in other words, it’ll cause the browser to crash. This is due to Urlmon.dll not handling user-supplied data properly. Besides crashing the browser, it’s been reported that exploits may also allow the execution of infected files, but I haven’t seen this independently confirmed yet.

What to do: The fix for this is the most simple of all. Don’t install IE 7 Beta 2 in the first place. I, for one, don’t like beta testing IE for Microsoft. Your Web browser is your window to the Internet. Why help hackers get into your computer by using software that isn’t finished?

Even if you’re one of those computer users that always has to have the latest and greatest thing, my advice is to uninstall the IE 7 beta and go back to what you were using in the first place.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.