Watch out for end-of-year exploits

Watch out for end-of-year exploits

By Brian Livingston The week between Christmas and New Year’s Day, when Microsoft and many security companies take several days off, is a time when some hackers think they can take advantage of the season. I’m sending out today’s short news update solely to alert you in case some threat starts spreading rapidly on the Internet this week.

The holiday break can be a hacker opportunity

Because several security holes are currently being exploited — some of which have gone unpatched by Microsoft for months — I’ve asked contributing editor Susan Bradley to give you the resources you need to protect yourself. Her story begins immediately below this introduction.

Last year, the “slow” holiday season became wa-a-ay too exciting. That’s because a Windows Metafile (WMF) flaw suddenly became widely exploited in late December of 2005. Merely viewing an infected image on a Web page, or listing an innocent-looking icon in Windows Explorer, could silently infect your PC with a Trojan horse or other malware.

As the use of this exploit spread, I took the unprecedented step of publishing two news updates in a single week.

When Microsoft announced that a patch for the problem might or might not be released on the next-scheduled Patch Tuesday, I published on Jan. 4, 2006, a recommendation that readers install a simple but effective unofficial patch.

Without warning, the Redmond software giant suddenly switched gears and issued an official patch on Jan. 5. So I published another news update on Jan. 6. This one urged readers to install Microsoft’s own patch. It also described how to uninstall some incompatible hacks that had been stupidly recommended by other sites.

Let’s hope that the turn of the calendar from 2006 to 2007 doesn’t exhibit the same wave of attacks. But if one of today’s known, unpatched exploits does become widely distributed, Susan’s analysis will give you a powerful advantage over the bad guys.

If you’re not getting the regular weekly bulletins from Susan, Woody Leonhard, Chris Mosby, Ryan Russell, and all the other LangaList Plus tips, you’re missing information that’s vital to your use of Windows. It’s easy to upgrade to the paid version. There’s no fixed fee. We accept a voluntary contribution of whatever it’s worth to you. How to upgrade

News updates have no paid version

Today’s e-mail message is a short news update. News updates don’t include our usual columnists or other sections. A news update also has no paid version. The same brief message goes out to both our free and our paid subscribers.

Next regular newsletter: Jan. 4

We’ll go back to our weekly publication schedule with our next regular issue on Jan. 4, 2007. The newsletter is published on the 1st through 4th Thursdays of each month, with vacation breaks in late August, Thanksgiving Week, and Christmas/New Year’s.

We’ve had a nice holiday respite during the past two weeks, but now it’s time to get back to work. We’re looking forward to digging up the best Windows tips for you in the months to come. Thanks for your support.

Brian Livingston is editorial director of WindowsSecrets.com and the coauthor of Windows Me Secrets and nine other books.

Beware of unexpected holiday gifts

By Susan Bradley By now you’ve opened your presents and you’re playing with your new tech toys — but don’t let the Grinch spoil your holiday season. Let’s take a quick look at some flaws that Microsoft hasn’t yet patched, and which people may use to try to scam you this season.

Unpatched issues to look out for

Incidents.org recently published a recap of 10 security holes that Microsoft still hasn’t patched as we enter the New Year. Some of these were publicly disclosed as long ago as Oct. 20, 2006.

One exploit, first disclosed on Oct. 24, involves ActiveX controls that can crash Internet Explorer and possibly infect a PC. This flaw is rated “critical” by the Internet Storm Center, but the recap does provide a workaround that advanced system admins can use to close the hole. No patch or update is yet available for beginning and intermediate users, unfortunately. (If you don’t know how to “set a killbit,” wait for a patch to be released.)

The other threats that are the most urgent are three “unspecified vulnerabilities” in Microsoft Word. These exploits, which can infect a PC even if Word macros are turned off, have led some firms with strict security policies to block all Word document attachments.

I believe that this policy is extreme at this time. The threats became known only this month, and I haven’t seen widespread use of the three exploits. The reality with any e-mail attachment is that only attachments that you’re expecting should be opened. If you’re not expecting an attachment, don’t open it. If in doubt, call or e-mail the sender to confirm.

Further details on eight of the unpatched security holes are provided in eEye Digital Security’s Zero-Day Tracker — a Web page that links to complete descriptions of the problems.

The first Vista security issue?

Last year at this time, we were all trying to protect against the Windows Metafile (WMF) vulnerability, which could infect you if you simply viewed a hacked image on a Web page. This issue was corrected by Microsoft in its first (out-of-cycle) patch of the year, MS06-001.

This year, we’re watching an issue that was discussed on the Microsoft Security Response Center blog on Dec. 22. This flaw allows a hacker to raise a Trojan horse’s user-rights level, allowing the intruder to obtain administrative rights.

Determina had reported this issue to Microsoft earlier, but had withheld the details while awaiting an official patch. After the flaw became more widely known, the company reported it on Dec. 20.

The bad news is that the problem affects Vista as well as Microsoft’s older operating systems, including fully patched versions of Windows 2000, XP, and 2003. The good news is that the problem reportedly can’t be used remotely to hack into your PC via the Internet — you must at least open an attachment, click OK on a dialog box to install a Trojan horse, or take some other action.

Hopefully, a patch for all affected systems will be released on Patch Tuesday, Jan. 9.

E-mails bear PowerPoints with Christmas surprise

‘Tis the season for mailed Christmas newsletters that recap the family doings, from Billy’s braces to Mary’s multiple awards. But it’s also the season for pretend Christmas e-mails and other ways to wriggle bad things on to your system.

The latest example, which uses an infected PowerPoint file to display a “Christmas blessing,” is illustrated by F-Secure.

This exploit was blocked by security bulletin MS06-012, released on Mar. 14, 2006. But not everyone has that patch installed. Also, most antivirus programs were slow in detecting and blocking the infected file, according to a test published on Dec. 24 by the SANS Handler’s Diary.

It’s absurd that we need to guard ourselves against PowerPoint data files, which should be totally benign. But if your systems aren’t fully patched, this Christmas blessing can infect you for the New Year.

IE 7 interferes with Exchange Server Help

For those who’ve installed Internet Explorer 7 on servers running Exchange 2003, you may find that the Help files inside Exchange System Manager start having issues.

As was pointed out in Sandi Hardmeier’s IE 7 issues site, the problem is with a file named psapi.dll. According to the post, IE 7 shipped with a newer version of that DLL. But launching help inside Exchange System Manager causes the older psapi.dll to be loaded instead.

If you use the Exchange System Manager that’s embedded in the Server Management Console, there is no issue. This gives us a few different ways to implement workarounds:

1. Use the Server Management console;

2. Remove psapi.dll from the Exchsrvrbin subdirectory (this fixes the problem without causing any other issues); or

3. Uninstall IE 7, which causes your system to revert to IE 6.

You really shouldn’t be surfing the Web using a server anyway. So I’d argue that there’s not a great need to install IE 7 on a server in the first place.

Susan Bradley‘s regular Patch Watch column appears in the paid version of the Windows Secrets Newsletter twice a month. She recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.