The sorry tale of the (un)Secure Sockets Layer

The sorry tale of the (un)Secure Sockets Layer

By Woody Leonhard Two brazen Web-server break-ins this year call into question one of the Internet’s fundamental security mechanisms — website security certificates. Because the most recent breach affected only PC users in Iran, most of us assume we’re immune. But we’re not; here’s why — and what we can do to protect ourselves.

In her Sept. 8 Top Story, Susan Bradley talked about compromised SSL security certificates from DigiNotar, a certificate authority (definition). Somebody had broken into DigiNotar’s certificate-issuing computers — all of them — and made a bunch of fake certificates for such sites as *.google.com, *.microsoft.com, and windowsupdate.com. In her article, Susan gave instructions for manually removing potentially compromised certificates from your system. Microsoft, thankfully, has recently automated this process through MS Support article 2607712.

The mainstream press has gone gaga over the story and has produced a blizzard of ill-informed and misleading reports. If you can join the words hacker, Iran, and browser with a few technical-sounding nonsense words and then speculate wildly, you, too, could be writing copy for one of the major news outlets.

Below, I explain exactly how security certificates work, and I describe the perversity of the certificate-issuing process: how we got into this fine mess and what we can do to stay out of it in the future.

Just what exactly is a security certificate?

No doubt you’ve used https secure sites for years. You know to look for the “s” in https before typing any sensitive information into your PC, and you know that your browser (depending on brand and version) displays a padlock icon or some equivalent symbol when it’s safe to type passwords, account numbers, e-mail messages, and similar personal information. If you don’t see a lock, or the lock is crossed out as in Figure 1, anything you type can be viewed by anyone casually snooping on your Internet connection.

Figure 1. An indication from Chrome that the site you’re visiting doesn’t have a valid certificate.

When you type https into a browser’s address bar, your browser must validate the site’s Secure Sockets Layer (SSL) certificate (or cert). If the browser believes it’s good, the lock shows up on your browser’s address bar and you have a secure connection.

Or do you?

The answer hinges on how a browser validates a particular SSL certificate. It’s complicated; each browser keeps a list of certificate authorities (CAs) — companies such as DigiNotar that issue trusted certificates — and that list is different for each browser. (For more on this topic, see the ISC Diary article, “How makers of Web browsers include CAs in their products.”)

The process will vary, but it typically goes something like this: you type https:somebank123.com into your Web browser. The browser goes to somebank123.com and retrieves the site’s certificate. The browser then examines the certificate and determines which certificate authority issued the certificate, checking whether the CA is on its list of valid certificate issuers. In some cases, the browser goes out to the CA’s website to validate the certificate.

If the certificate is issued by, say, VeriSign (which has about half of the certificate business), the browser confirms that VeriSign is on its list. To double-check, the browser next goes to VeriSign’s website to make sure that the cert is valid. If the certificate passes muster, the browser establishes a secure, encrypted connection between the PC and the bank’s Web servers (and puts up the lock icon).

That isn’t the whole story — there are white lists, black lists, revocation lists, and all sorts of other complicating factors. But you get the picture.

Once upon a time, SSL certificates were managed by a handful of CAs. That’s changed; Web browsers now recognize between 30 and 60 CAs. The company that issues a cert is supposed to perform some due diligence to make sure each certificate is assigned only to a legitimate company, but what defines “due” and “diligent” is controversial. CAs are audited only once a year for compliance.

Owners of websites can get free SSL certificates. But a cert from a widely recognized CA costs between U.S. $20 and $1,500 per year. Selling certs is big business — so big, that the major CAs now farm out some of their authority. Many hundreds of companies called Registration Authorities (RAs) are now authorized to issue certificates on behalf of the big CA organizations.

Think of it as a franchise operation. You start a company and pay BigCA, Inc., to become an RA. You sell certs to anybody and everybody and make a lot of money doing so. You get good at selling certs, so you set up an online system so your employees can sit around all day, approving and selling more certs.

The certs are sold by your company, but they carry the imprimatur of BigCA. The folks at BigCA say you need to protect your cert-issuing system, and they check that you’re doing so — but they don’t check very hard. Therein lies the rub: breaking into an RA’s system and issuing fake certs with BigCA’s name is pretty easy. In the case of some RAs, apparently breaking into the cert-issuing systems took no more effort than a simple SQL injection.

The genesis of a man-in-the-middle attack

Back to our connection with https:somebank123.com. The certificate passes the test; you sign on to your bank account, transfer some money, and you’re done. No big deal.

But what if a cyber thief with a faked certificate for somebank123.com can put himself in the middle of your conversation with the banking site? That’s a man-in-the-middle attack. You type https:somebank123.com into your browser’s address bar and the browser heads out to somebank123.com, but somehow the bad guy redirects your browser so that it goes to his site. The bad site presents its faked certificate, claiming that it’s somebank123.com — and your browser accepts it.

The bad site also initiates a session with somebank123.com. When you type in your user ID and password, the bad site grabs that information and uses it to sign into somebank123.com. You think you’re directly connected to somebank123.com, doing business as usual, while the whole time the malicious man-in-the-middle site keeps copies of everything that’s coming and going. Your interaction with somebank123.com goes a little slower than usual, but if the man-in-the-middle operation works properly, you’re unlikely to know it’s there.

For a man-in-the-middle attack to work, it’s not enough that the cyber thief has a fake certificate: the thief inserts himself between your browser and the genuine site.

Fortunately, that step isn’t easy. In the past, we’ve seen website redirection crop up in many fascinating places. You may recall that altering the Windows HOSTS file can make a browser look for URLs in all the wrong places. There’s a good overview in a Windows Secrets Support Alert article way back in 2005.

Another technique, DNS poisoning, can also send your browser to a place other than its intended destination. There was a spate of DNS-poisoning attacks (more info) in mid-2008 that took advantage of an inherent flaw in the way Domain Name Servers used to work. That flaw’s been fixed, but DNS poisoning still happens.

The latest round of man-in-the-middle attacks, though, apparently took place with code running on or through Internet Service Provider (ISP) servers. In many countries, the government has direct control over ISP servers — indeed, in many cases, the government is the ISP. If a person or group in possession of a fake cert can take over the Internet Service Provider’s computers, all the elements are in place for this kind of man-in-the-middle attack.

How bad was the recent break-in — really?

This sort of attack has been around for more than a decade.

On Jan. 30 and 31, 2001, VeriSign issued two certificates to someone who said he or she was representing Microsoft, according to a CNET story. There was no technical wizardry involved: somebody simply sweet-talked employees at VeriSign into issuing the two certificates. Microsoft finally found out about the bogus certs and moved to revoke them in mid-March 2001. As best I can tell, nobody ever used those fake certs.

In March of this year, someone calling himself ComodoHacker — describing himself as a 21-year-old Iranian — broke into the certificate-issuing computers of a small RA firm in Italy called InstantSSL.it. InstantSSL sells certs for big-name CA Comodo (yes, the same Comodo that makes firewalls and antivirus software). ComodoHacker got into the InstantSSL system and found that he could issue and validate certificates under the Comodo imprimatur. Did he generate fake certs for paypal.com or bankofamerica.com? No — he went for addons.mozilla.org, www.google.com, mail.google.com, login.skype.com, login.live.com (Microsoft Live, including Hotmail), and login.yahoo.com. Those are precisely the kinds of sites a government might wish to monitor from the middle, to keep tabs on its residents.

The latest skullduggery occurred when someone — possibly the same ComodoHacker — broke into the cert system for DigiNotar, a CA (not an RA) located in the Netherlands, and gave himself many fake certs. From the cracked DigiNotar system, he then broke into six other CAs and issued additional fake certifications — more than 500 at last count. A complete list — which includes certs for Facebook, Tor, the CIA, MI6, LogMeIn, and WordPress — is available on the Tor site. The fake certs cover even *.*.com and *.*.org, which would in theory allow the owner of the certificate to snoop on just about any site.

The Dutch government has issued an interim security report that lists some of the damage. As a Sept. 6 Internet Storm Center ISC Diary entry observed: “The hackers breached the systems possible June 6th already, this got detected by DigiNotar on June 19th, The rogue certificates were created in July and the first time the *.google.com certificate that was detected in the wild was presented on July 27th …. Yet it took till DigiNotar was notified by [a Dutch government agency] before they revoked the certificate.”

In other words, the rogue Google SSL cert was in the wild for more than five weeks. DigiNotar has responded with a press release defending its laggardly ways.

The Dutch interim report clearly points the finger in the direction of Iran: “The rogue certificate for *.google.com detected in the wild was verified against the DigiNotar OCSP service from August 4th till it was revoked on August 29th. 300,000 different IP addresses verified that certificate. More than 99% of those addresses trace back to Iran.”

People in Iran got hit this time. They’re relatively easy targets because stepping into the middle of a browser conversation with Gmail or Yahoo Mail or Hotmail or Skype is something the Iranian government can do with impunity. But that isn’t the only way rogue certs can be used for man-in-the-middle attacks.

How to minimize your chances of being attacked

If you travel to a country that has tight control over its ISPs, the ComodoHacker experience should give you pause. It would be prudent to work through a Virtual Private Network while using the Internet in those countries. (See my Nov. 4, 2010, Top Story for details on VPNs.) Although a VPN won’t always foil a rogue-cert, man-in-the-middle attack, the attacker would have many additional hurdles to clear.

I lock down my Hosts file. Back in Windows’ infancy, some programs needed to modify the Hosts file to keep working correctly. Now when code changes the Hosts file, it’s a sign of bad programming — or that you’ve been infected. To lock it down, make sure you can see hidden files (instructions), navigate to C:WindowsSystem32driversetc, then right-click on the file called Hosts and choose Properties. Check the box marked Read Only, shown at the bottom of Figure 2.

Figure 2. Lock down your hosts file to block one more avenue of attack.

Finally, make sure you apply all recent updates for whatever browser you use. Internet Explorer, Firefox, and Chrome have yanked DigiNotar from their CA lists; Opera and Safari are just now catching up. On Sept. 6, Internet Explorer was finally updated to revoke DigiNotar certs on all versions of Windows.

What needs to be done to fix this mess

It bears noting that this insecurity isn’t a bug in Windows. It isn’t even a browser bug. It results from a defect in the way security certifications are issued and how that process has deteriorated in recent years.

Obvious questions abound. How does one compromised PC turn into six subverted CA systems? Aren’t the CAs even looking at their RAs’ internal security? How is it possible that any RA can issue certs for microsoft.com or google.com, or — for heaven’s sake — *.*.com? It doesn’t make sense.

Efforts are under way to patch the holes in the CA process. There are now multiple levels of secureness for SSL certs. For example, Extended Valuation certs (such as those offered on the godaddy.com site) are subject to more stringent validation. There’s a proposal by the Internet Engineering Task Force to allow owners of specific domains to pick which CA can issue certs for their domain. These are steps in the right direction, but the system itself seems rotten.

Unless the World Wide Web Consortium can come up with a technically sound solution — and get it past all the vested interests — we’re all standing on a very shaky foundation.

Etiquette lesson for the computer age

By Kathleen Atkins

In any office these days, no tool is likely to be more important than a computer — well, maybe the coffeemaker.

So when your PC breaks and must go out for repair, most people understand when you need to borrow time on someone else’s system.

But don’t bring all your software to the machine you borrow without asking first! You might find that you thoroughly alienate a colleague. Forum member midnight’s co-worker did exactly that.

And it took midnight five hours of work to successfully rid her overburdened machine of her colleague’s carpetbagging apps. Read here to see how she went about it. More»

The following links are this week’s most interesting Lounge threads, including several new questions to which you might be able to provide responses:

☼ starred posts — particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Kathleen Atkins is associate editor of Windows Secrets.

Even French cattle have a fondness for jazz

By Kathleen Atkins It’s common knowledge that the French like Jerry Lewis and jazz. Now there’s proof that French cows share that taste in music. A Utah-based jazz band stopped to entertain a bovine audience in Autrans, France — and caught the attention of the entire herd. Fortunately for the musicians, the cows proved to be a friendly and respectful crowd. (No word yet on which comedians French cows prefer.) Play the video

Upgrades end in erratic, partial hangs

By Fred Langa A reader’s heavily upgraded XP system randomly freezes for several seconds from time to time. Strangely, during these mini-hangs, other parts of the system remain unaffected.

Power settings unexpectedly affect performance

Ian has been slowly upgrading his PC, but the last change caused a problem that could be hard to diagnose.

• “We have a friend who’s a certified computer repairman. In the last year he’s replaced our PC’s power supply, put in maximum RAM, and updated the hard drive to 500GB SATA.

  “This last update was done a matter of weeks ago, and since then the system is freezing from time to time — for perhaps 15 to 20 seconds — and then going again. During this time, the clock still clicks over the seconds.

  “I have the latest Comodo firewall installed, plus Microsoft’s antivirus, and I also have the firewall turned on in the DSL modem.”

Here’s what I’d check first: your recently replaced hard drive. The mini-hangs you describe sound like a hard-drive spin-up delay.

If the drive is set for aggressive power-savings, it may be spinning down too soon. When a drive is in a low-power standby state (sleeping), it has to wake and spin up before it can respond to read/write requests. That spin-up delay could indeed briefly hang whatever software was waiting for the drive, but it wouldn’t affect components such as the system clock.

You can usually diagnose this problem with your ears: listen for drive noise the next time you experience one of those mini-hangs. If the hang is accompanied by the sound of your hard drive spinning up, you’ve likely found your problem.

It’s easy to fix. Just set the drive’s sleep time to a longer interval via Control Panel’s power-settings applet. In XP, click Start, Control Panel, and Power options; then adjust the time delay shown in “Turn off hard disks.” (Vista and Win7 have similar options.)

If it’s not the drive, then I suggest you use Task Manager to see what software is dominant during a mini-hang. Chances are, whatever’s consuming the most CPU time is connected with the hang.

Use Ctrl + Alt + Del to access Task Manager, then click the Processes tab. You’ll see a list of the software currently running on your system, along with some information about each item. (See Figure 1.)

Figure 1. Task Manager’s Processes tab shows what’s consuming CPU cycles — not much, in this example of a healthy, idling system. (XP Task Manager shown)

The numbers in the CPU column represent the approximate current percentage of CPU time that loaded executables (listed in the Image Name column) are using. Click the CPU column header to re-sort the list in descending order. The list will jump around a bit as different processes use the CPU, but over a span of several seconds, the most CPU-intensive app should bubble to the top. You should thus be able to see what’s causing your system to bog down.

If you don’t recognize the name of the executable that’s possibly causing the problem, type its exact image name into your favorite search engine — one or more of the search results should describe what the software is, who publishes it, and what it does.

Alternatively, you can download the free (and excellent) Process Explorer from Microsoft’s Sysinternals (info/download). It’s a kind of amped-up Task Manager that can show you everything your system knows about each process it’s running, including publisher, location on the drive, resources used, and so on. It’s a professional-level tool — and it’s free!

(Vista and Win7 can use Process Explorer but really don’t need to. Their version of Task Manager can display the full properties of any process you right-click on — no extra software is needed.)

Once you’ve identified the problem software, take the appropriate steps to adjust its settings or replace it with a better-behaving app.

Resetting a cranky Win7 homegroup network

George Norcross’s Win7 PCs can’t talk to each other over his home network.

• “I set up a second Win7 PC at home. The first is on a homegroup; the second receives the message, ‘This computer cannot connect to a homegroup!’ What’s the story here?”

Ah, HomeGroup. Definitely a mixed bag.

When HomeGroup works, it’s great. On raw, unconfigured Win7 networks, you can enable HomeGroup and sit back while it automatically stitches together your Win7 PCs, printers, and other peripherals. It also sets up proper sharing and security — and then manages all network operations behind the scenes.

But it doesn’t always go that way, especially with networks that contain non-Win7 systems or that were previously set up for peer networking prior to Win7. Those configurations can easily outmatch HomeGroup’s ability to figure things out.

Alas, HomeGroup is a black-box system with few user-configurable parts inside. Trying to repair it can be a deep time-sink, with no guaranteed payoff for the effort. Consequently, when things go wrong with homegroup networking, I typically abandon all finesse.

When a homegroup misbehaves, I do what amounts to a brain wipe of the network stack. Windows then rebuilds its networking subsystem from the adapters up, and that usually resolves the networking problem.

It is, admittedly, a nonprecision approach. But it’s easy and quick. If you want to try my hit-it-on-the-head method, follow these steps:

• Step 1. Close or suspend all applications that use the network — browsers, e-mail, chat, video, weather, and any other app that might be automatically updated in the background.
• Step 2. Click Start, type device manager in the Search programs and files box, then press Enter.
• Step 3. Browse the list of devices and click to expand the Network adapters section.
• Step 4. Right-click on the first adapter under Network adapters and click Uninstall. Windows will ask whether you want to remove the associated device drivers; say no, you want to keep the device driver.
• Step 5. Repeat Step 4 for all network adapters on your system under Network adapters.
• Step 6. Close Device Manager.
• Step 7. Reboot.

When you reboot, Windows will think it’s found new networking hardware and will set up fresh connections. By the end of the reboot, your network should be back and running in streamlined, trouble-free form. You can then try enabling HomeGroup again or fall back to old-school, manual networking (which works just fine in Win7, by the way, and is also faster).

You may also find these previous articles helpful:

• Feb. 25 LangaList Plus item, “Solving Windows 7 networking problems”
• Oct. 14, 2010, Top Story, “Simple change in settings pumps up Win7 networks”

Win7 and floppies from an old XP system

Burt McKenney is upgrading to Win7 but hit a snag with his old XP-written floppies.

• “My XP desktop, which had floppy capability, had its motherboard and power supply fried by a lightning strike. How can I use my floppies, written with XP, on my new Dell desktop PC — which has only Windows 7 on it and no floppy drive?”

You’re in luck! Win7 has the ability to read and write 3.5-inch floppies — whether they were written on XP, Win9x, or even DOS systems. All you need is the hardware: a floppy drive.

Open your favorite search engine and enter the phrase USB external 3.5-inch, 1.44MB floppy. You’ll find a number of well-known national retailers selling plug-and-play floppy drives for U.S. $20 or so.

Just plug one into a spare USB port, and you’re good to go!

‘Bad sectors’ come and go on his hard drive

Edward Barr’s hard drive is behaving oddly.

• “My Windows 7 Home Premium PC seems to be working perfectly, except for one issue: I tried to do an image backup using Norton Ghost 15, which has always worked fine. This time the backup failed, stating it couldn’t read some sectors. I then did an image backup using Windows 7, and it worked fine. I also did both disk-check scans, and it found (and supposedly fixed) several KBs’ worth of bad sectors. Now, a week later, Norton still fails and my HP hardware diagnostic test fails when I check the hard drive.

  “I ran another total disk check and there were 680KB in bad sectors. However, the PC seems fine.

  “Any ideas?”

Sounds like your drive is wearing out, Ed. One common symptom of drive wear is when sectors start showing up as bad but then seem to be (temporarily) repaired. What’s usually going on is that the head-positioning mechanism is worn and getting sloppy. Sometimes it positions the heads correctly and the sectors can be read without error; other times, the head is misaligned, and the sectors appear as bad.

Other issues can be at play, too, but they all relate to wear. There’s no fix, except to replace the drive.

Fortunately, classic, spinning-platter hard drives are unbelievably cheap these days. I recently picked up a 2TB internal drive for $59!

Replacing a drive is easy and can often be done with no tools at all or (in the case of older hardware) with no more than a screwdriver. Most new drives come with replacement instructions and even include software to assist in the migration process.

There’s plenty of other help online, too, if you need it. For example, see Microsoft’s Help & How-to page, “Install or remove a hard disk drive”; makeuseof.com’s article, “How to install a new hard drive to replace an old one”; or about.com’s article, “How do I replace a hard drive?”

Your new drive will not only be error-free, but also will likely give you better speed — and a lot more room to play in!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Passwords — don't take them with you

By Lincoln Spector In an unpredictable world, careful estate planning helps those we leave behind. But these plans often fail to account for what are becoming the primary repositories of our critical personal information: password-protected, digital files.

Needed information locked away for all time

A Windows Secrets reader wrote us recently with a grim problem.

• “Friend passed away last week. He had all his files on a thumb drive that is password-protected. No, he did not tell anyone the password, and so far his executrix has been unable to find one.”

A quick answer to this dilemma depends on how well the deceased protected his files. Ryan Russell provided tips on cracking passwords in his April 22, 2010, Perimeter Scan item, “Recovering lost passwords using boot CDs.” But if the deceased encrypted his data — if he had the knowledge of, say, a regular Windows Secrets reader — those files will never be opened again.

Our reader’s difficulty brings up an important point: when you’re gone, someone will need access to your bank accounts, your papers, and possibly even your e-mail (necessary if they are to inform your contacts of your demise). If you keep this sort of information under strong digital locks (and you should), you’re going to have to leave someone the key.

Death isn’t the only worry. Nonfatal accidents or illnesses such as a stroke can render that vital information we carry in our brains inaccessible. So when making your contingency plans, be sure to include the digital component.

Leave a secure way into your personal info

So how do you maintain full security for your digital data and still leave a back door open for caretakers, executors, and/or beneficiaries?

“It would be the same answer if you were to buy a house safe,” says San Francisco attorney Michael Blacksburg (info), who specializes in estate planning. “Don’t be dumb enough to be the only person with the key or with the code.”

True enough, but there is a significant difference between a physical safe and a high-quality encryption program backed by a strong password. Home safes are relatively easy to crack — even the company that made the safe will help, with the right paperwork. And banks will give access to safe-deposit boxes if beneficiaries prove they have rights to what’s inside.

But PCs protected with commonly available encryption systems? They’re nearly impossible to break into.

Fortunately, you have a simple solution. Leave your password (or set of passwords) with someone you trust, such as your spouse or your lawyer. “Sit down and plan out [what would happen] if you could not run the show yourself,” advises Blacksburg. “What are the important assets in your life? Once you know this, it’s easier to decide who needs your passwords.”

Make sure that the people to whom you entrust your password keep it in a secure place. Or keep the passwords yourself in a home safe or a safe-deposit box. Leave a letter in your will or trust that tells the executor where he can acquire these passwords.

Managing constantly changing passwords

Many of you have undoubtedly recognized the obvious snag to this advice. Passwords are fluid; we change them regularly as we go from one service to another, or we change them simply because that practice keeps our digital data more secure.

Are we really going to rewrite a hard-copy letter and restash it every time we change a password? Not likely!

The solution is to keep all your passwords in one encrypted place and then share only a master password with your designated heir or executor.

You can do this easily with a password-manager application such as Password Safe [info]. Encourage your family members to do the same. The password to your password manager becomes the key that unlocks all your digital accounts, files, and other records.

Each family member’s master password should be kept in other members’ password managers. That way, for example, both you and your spouse can access any family member’s passwords, should some unexpected disaster make that necessary.

There are hitches to this plan, too. For instance, you need to absolutely trust your spouse — not always a given. Decide whom you trust most and let that person keep your master password. Include in your will or trust instructions for who should have access to the password and what he or she is allowed to do with it.

And what if you and your spouse pass on together — say, in a car accident? Two sets of passwords might be lost. So give your master password to a third party — perhaps someone you rarely associate with in person.

You might have some private memberships and files that you don’t want anyone to see, even if you’re incapacitated or deceased. Just store that highly personal information in a separate, encrypted area — and keep the password to yourself.

If ultimately your passwords are lost for good

The precautions I described above will make your executor’s tasks considerably easier, but failure to do so won’t make those tasks impossible. “There isn’t anything on [the reader’s] flash drive that isn’t somewhere else,” Blacksburg points out. “[Somewhere,] there’s documentation about where the accounts are.”

But gathering that documentation and assembling the paperwork needed to access accounts can take weeks. For example, your executor will need to find out what banks have accounts in your name — not always easy if you opt to not use paper records. The executor will then have to produce a copy of the death certificate and proof that he or she has rights to the account information. It’s all much easier if your executor has a list of all of your accounts — along with the sign-in names and passwords to access them online.

The same is true of e-mail accounts. Your executor can eventually acquire access to your Gmail or Hotmail accounts without a password, but it won’t be easy. Google’s statement on the subject is anything but promising:

“Any decision to provide the contents of a deceased user’s e-mail will be made only after a careful review, and the application to obtain e-mail content is a lengthy process. Before you begin, please understand that Google may be unable to provide the Gmail account content, and sending a request or filing the required documentation does not guarantee that we will be able to assist you.” [full statement]

It could be weeks or months before people find out why you haven’t been responding to their e-mail.

Social networks can be easier. Facebook requires only that you fill out a short form, including a link to an obituary. But it will still be easier if your heirs can see what social networks you belong to.

No one likes to think about death, but these simple steps will make it a little easier for your survivors. After all, they have more than enough to cope with in your absence.

Moving more DigiNotar certs to 'untrusted'

By Susan Bradley The DigiNotar root-certificate debacle was big news and struck at the foundations of our Internet security. The fallout affects everyone, from Windows PCs to Mac systems, with updates all around.

(You’ll find more on this topic in this week’s Top Story, “The sorry tale of the (un)Secure Sockets Layer,” and in my Sept. 8 Top Story, “Certificate cleanup for most personal computers.”)

2616676
More DigiNotar security certificates revoked

The DigiNotar break-in story that broke last week has Microsoft (and everyone else that uses these certificates) scrambling to get out updates.

Update KB 2616676 supersedes KB 2607712 and addresses a larger set of root certificates, as listed below.

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie — G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven
• DigiNotar Root CA issued by Entrust (2 certificates)
• DigiNotar Services 1024 CA issued by Entrust
• DigiNotar Cyber CA issued by GTE CyberTrust (3 certificates)

All operating systems from XP to Windows 7 are affected. XP machines will require a reboot; Win7 machines should not need a reboot if Internet Explorer is not open on your desktop.

► What to do: If you still have any of these certificates in your Trusted Certificate Store, installing this update will put them in the Untrusted CS — sufficient to protect you from any potential man-in-the-middle attacks. Install KB 2616676 when offered, or go to the related support article to manually download and run the patch.

MS11-071 (2570947)
A never-ending train of DLL-preloading fixes

Dynamic Link Library (DLL) preloading attacks are a serious threat we’ve been tracking and patching since at least August 2010, based on MS Security Advisory 2269637). This time, the fix prevents attacks on valid rich text–format files (.rtf), text files (.txt), and Word documents (.doc) located in the same network directory as a malicious .dll.

The attacker might obtain the same rights to your computer as you. If you’re running with administrator rights, a hacker could take complete control of your system.

► What to do: Although KB 2570947 is rated important for all current versions of Windows, I recommend installing it immediately — either through Windows Update or via the download links in MS11-071.

MS11-073 (2587634)
Malicious Office files lead to attack

This update is similar to the one above, but instead of DLL files, the threat comes from rogue Office files. Once again, the attacker could acquire the same rights as the current user on a targeted PC when the user opens the malicious file or a valid Office file in the same network directory.

This patch is rated important for systems running Office 2003 SP3, 2007 SP2, and all versions of Office 2010. As with the DLL attacks, you’re more vulnerable if you’re running with administrator rights — as many of us still do.

► What to do: Install KB2587634 if offered in Windows Update, or go to MS11-073 for additional details and download links. As with previous Office updates, you may see updates offered for versions of Office you don’t have, because of shared code (as described in MS Support article 2587634).

MS11-072 (2587505)
A pack of patches targets malicious Excel files

According to an April 1 Gartner Research report, malicious Excel files were behind the phishing attacks that led to RSA’s SecurID (info) breach. Using a Trojan included in the Excel spreadsheets, the attackers eventually gained access to a targeted system and stole sensitive data.

The updates in MS Security Bulletin MS11-072 (KB 2587505) are designed to make using Excel in that type of attack more difficult. I was expecting one patch (KB 2553073) but, surprisingly, received three additional, related updates. Of the four, only one clearly states that it’s for Excel in Windows Update; the rest were labeled as Office updates KB 2553089, KB 2553090, and KB2553074 (shown in Figure 1).

Figure 1. Windows Update offered a slew of Office patches for an Excel-related vulnerability. The updates you’ll see will depend on your installed version of Office.

MS-11-072 gives a complete list of the patches in this bulletin. They impact versions of Excel 2003, 2007, and 2010. All are rated important.

► What to do: Install all of these updates as soon as they’re offered, or go to MS11-072 for links to the appropriate patch-download pages.

MS11-074 (2451858)
SharePoint update requires an extra step on SBS

SharePoint is Microsoft’s Web-based file-sharing platform. Updating this app can be tricky, especially went it’s running on Microsoft’s Small Business Server (SBS).

As noted in the Official SBS blog, you must manually run the SharePoint psconfig.exe command after installing any update to SharePoint 2010 on an SBS 2011 system. (The psconfig command runs automatically on earlier versions of SharePoint using SBS 2008.) If you fail to manually run psconfig on an SBS 2011 system, it might impact the server’s built-in backup system, according to a July 6 SBS blog).

Occasionally, psconfig does not finish and you must take additional steps to complete the upgrade, as detailed in a prior blog post.

► What to do: Install KB 2451858 (described in MS11-074). Then run psconfig.exe. manually on SBS 2011 servers, or ensure that psconfig ran automatically on SBS 2008 systems.

MS11-070 (2571621)
Last important patch of the month for admins

This month’s last important Microsoft security update should interest only Windows server admins. Windows Internet Name Service (WINS; definition) is a technology used primarily in Windows Server 2003 networks that support older versions of Windows and apps using NetBIOS.

An attacker could use a flaw in WINS to gain higher privileges on a user’s PC. But the update is rated only important because the attacker must sign in locally and have valid credentials.

► What to do: I recommend server administrators install KB 2571621 (detailed in MS11-070) after testing the patch on a nonproduction server — or making sure you have a fresh backup.

A confusing Office 2010 File Validation update

Despite its title, KB 2553065 is not just for Office 2010. It’s actually a revision of KB 2501584, the troublesome Office File Validation update offered to Office 2003, 2007, and 2010 users.

With KB 2501584 installed, Excel 2003 files took longer to load over networks.

► What to do: I’m still a bit leery of this update. Either skip KB 2553065 or, if you want better protection for your Office files, upgrade to Office 2010.

Apple blocks DigiNotar Certificates, too

The DigiNotar cleanup isn’t limited to Windows systems. Apple Security Update 2011-005 (article HT4920) describes the DigiNotar problem and offers the patch through the Mac Software Update system or via the Apple Support Downloads page.

Older Macs are not included in the update; it applies only to OS X desktop and server Versions 10.6 and up.

► What to do: Look for the update offering if you’re running Snow Leopard or Lion. To manually download the patch, go to the update page for either Snow Leopard or Lion.

Acrobat 8 and Reader 8 get end-of-life notice

If you’re still using Adobe Acrobat 8 and Reader 8, be forewarned that Adobe will no longer support these versions after November 3, 2011. Plan on either upgrading to newer editions or finding a replacement app such as Foxit PhantomPDF (info).

► What to do: A Sept. 13 Adobe security bulletin summarizes the most current versions of Acrobat and Reader. Recent updates for Adobe Reader include Versions 10.1.1, 9.4.6, and 8.3.1.

Given the spate of security issues with Adobe Acrobat, Flash, and Reader, it’s best to stay up on their latest updates.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.