The promise of XP SP2

Major improvements are coming to Brian's Buzz on Windows

I think you’ll be pleased to read the announcements I’ll be making in the next issue of this newsletter. Thanks to my readers’ generous contributions, major names in Windows expertise will be joining me to bring you new and improved content. And I’ll be able to unveil a much stronger search-engine technology for WinFind, my free service that unearths Windows tips and tricks for you in respected high-tech Web sites. 

IMPORTANT: Please add our new “From” address to your whitelist
These developments will require one small adjustment on your part. My improved publishing system will e-mail the newsletter to you using a new “From” address. Your e-mail system will need to recognize this address so the newsletter isn’t deleted by “junk mail” filters.

You’ll receive the next newsletter on July 8, not July 1
I’m concerned about the speed with which computer worms are taking advantage of new security weaknesses that are announced by Microsoft. In some cases, a hacker’s exploit has appeared “in the wild” within 30 days.

Last November, the Redmond software giant began routinely releasing its announcements and the related patches (if any) on the 2nd Tuesday of each month. In the past, I published Brian’s Buzz twice a month and then switched it to every two weeks on alternating Thursdays. But this every-two-weeks schedule means that now the newsletter sometimes comes out only two days after an announcement (too soon for me to analyze a new patch) and then 16 days after the announcement (too long for you to wait for advice on whether installing the patch would cause other problems).

For this reason, I’m changing my publication schedule back to twice a month — on the Thursday the week before Microsoft’s announcement and the Thursday the week after. This means a newsletter will always come out within nine days after the company’s scheduled announcement of new security weaknesses. (Additionally, I’ll publish a special “newsletter update” if an urgent problem suddenly requires your attention.)

The next two issues of Brian’s Buzz, therefore, won’t be e-mailed to you on July 1 and 15 but on July 8 and 22.

I appreciate your understanding as all of the above changes are implemented. I look forward to your feedback as the improvements I’ve worked on during the past several months are revealed to you in the next two issues. Stay tuned, and thanks for your support. —Brian Livingston

The promise of XP Service Pack 2

By Brian Livingston

After many agonizing months of development, Microsoft issued on June 14 its Release Candidate 2 of the major new upgrade, Service Pack 2 (SP2) for Windows XP. As a “release candidate,” the update is not yet a supported package that can be installed en masse by Windows users. (For one thing, it’s never recommended that you install the final software over a release candidate, even if there’s an uninstall feature for the beta version.) But it’s getting very close to the “gold” version of the software that Microsoft will soon be urging all XP users to install.

Many observers have commented that XP SP2 isn’t really an upgrade to the operating system. It’s more like an entirely new version of Windows, which Microsoft is giving away free in order to squelch Internet viruses and worms that otherwise would continue to erode support for its cash cow.

In this sense, an update from Windows XP to XP SP2 is on the order of the upgrade from Windows 98 to Windows Me. The new operating system almost deserves its own new name. Instead of XP, perhaps we should bump the name up in the alphabet one letter and call the result Y-Me (“why me?”).

But in an important way, XP SP2 will be a much bigger shift than the one from Windows 98 to Me. Microsoft has finally gotten really tired of being the butt of jokes for the almost-weekly new attacks launched on its products by teenagers. So the Redmond company has decided to break some significant behaviors that Windows users have come to rely upon.

As regular readers know, I’m not one to delve into the features of “vaporware” that you can’t buy and use, such as most beta versions of programs. I prefer to wait until you can actually put a product to work. At that point, it’s fair game to be analyzed and its secrets revealed to a worldwide audience.

XP SP2, however, is worth looking at well before it comes out. If you haven’t downloaded and tested a previous release candidate of SP2 on a sacrificial PC, there’s still time. Microsoft has scrapped its previous confidence that the final release of SP2 will become available by late July, according to an eWeek article. That means it might make an appearance by the end of July, but it’s more likely to age in Microosft’s oaken barrels until August, September, or even later.

I’ll write more about XP SP2 in future issues of Brian’s Buzz as the upgrade gets closer to final distribution and, of course, as soon as millions of XP users are actually installing it and learning about its quirks.

But in the meantime, XP SP2 will change so many relationships between Windows, third-party applications, and the Internet that you should know about (and start considering your response to) at least the following concerns:

Web sites need to check their technology
SP2 will include a new version of Internet Explorer. The new IE will include some of the security limitations of the browser found in Windows Server 2003, although not as many user restrictions. The new browser, however, will block ActiveX controls, downloadable add-ins, pop-up windows, and other features commonly used in many Web sites. If you or your company maintain a site, you owe it to yourself to check Microsoft’s list of changes and adjust your technology accordingly. More info

SQL Server and other MS apps require changes
Microsoft warns that its SQL Server 2000 database package and many other similar programs that are accessed across a network will have problems in certain cases. The biggest change is that SP2’s “Internet Firewall” will be turned on by default and may block users. This affects not just SQL Server but also MSDE (Microsoft SQL Server Desktop Engine), which is used by Visio, SharePoint Team Services, and numerous other applications. The Redmond company describes several workarounds for this in its FAQ, “How Windows XP Service Pack 2 (SP2) Affects SQL Server and MSDE,” dated May 24. More info

That’s just the beginning…
There are far too many changes wrought by XP SP2 to even start to list them here. For its part, Microsoft has already documented the known issues in an 8-part document, “Changes to Functionality in Microsoft Windows XP Service Pack 2.” If you support Windows XP in your business or home, at least perusing this explanation of the issues will give you a heads-up — before you’re forced to learn about them the hard way. More info

XP SP2 holds out the promise to Windows users that their PCs will be safer against Internet break-ins, without so much urgency about installing patches for individual threats. But this promised land won’t come without a cost. As soon as SP2 is released, we’ll all inevitably learn about side-effects and gotchas that hadn’t previously been well publicized.

To obtain RC2 of XP SP2, and for more information about its behavior, visit Microsoft’s Windows XP home page.

Finally, for really, really exhaustive details on the beta stages of XP SP2 and the upgrade’s potential impacts on users, Neowin.net has posted a gigantic list of articles and discussion-forum threads on the subject. More info

To send me more information about XP SP2, or to send me a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send me a comment that I print.

Web sites infect IE, no patch yet

An exploit is loose on the Internet that allows a Web site to infect a PC running a fully patched version of Internet Explorer 6, and Microsoft at this writing has no patch available to close the security hole.

According to an analysis published by Jelmer Kuperus, a computer science student in the Netherlands, the attack illustrates two new, previously unknown weaknesses in IE 6.

For now, the exploits that have been reported to be “in the wild” merely install a new toolbar into IE and then display pop-up ads, some of which are adult-oriented. (The toolbar is downloaded from a site known as I-Lookup, which is registered in Costa Rica. But the Trojan horse that exploits the IE hole could have been written by an independent affiliate, not someone associated with the site itself.) The security flaws, however, could easily leave a PC open to actual damage, if different code was substituted by a truly malicious hacker.

After Kuperus announced the problem on Full-Disclosure, a security mailing list, the flaw was confirmed by numerous organizations, including US-CERT and Secunia Security. The latter consulting group rated the seriousness of the problem as “extremely critical,” the highest category of threat.

Although Microsoft as yet has no patch to correct the IE 6 flaw, the upcoming Service Pack 2 (SP2) for Windows XP is said to close the hole. A new beta release of SP2 — Release Candidate 2 — came out on June 14. But, according to eWeek magazine, Microsoft has backed away from earlier promises that the final product will emerge in late July. It could be delayed into August or later.

Since it’s never recommended that you install a final build over a beta release, even one that’s been uninstalled, XP SP2 isn’t a viable solution for most Windows users at this time. Until XP SP2 is publicly available and you’ve installed it (if you decide to do so), there are steps you can take to understand and avoid the I-Lookup problem.

Preventing the I-Lookup Trojan
The Trojan horse that gains control of a PC via the IE 6 security issue — referred to as the “I-Lookup Trojan” after the Web site from which it was originally observed being downloaded — operates by attracting visitors to a Web site that runs the exploit. The site uses the little-known “URL” protocol, not to be confused with the “http://” protocol, to open an HTML file on the visitor’s PC. Since the file is on the local hard disk, IE runs it in the Local Machine security zone, where it runs with high privileges (since IE assumes local files to be trustworthy).

The malicious program takes advantage of this trusted security level to inject and run code that infects the PC. This is called a “cross-zone scripting error,” which Kuperus claims he informed Microsoft about on Aug. 26, 2003.

It’s unlikely that the exploit would operate on an end user viewing an HTML e-mail in an Outlook preview pane, as opposed to viewing a Web site in IE 6. That’s because Outlook 2002 and 2003 and Outlook Express 6, by default, handle e-mail in the Restricted zone, in which the technique fails. Installing an Outlook E-Mail Security Update, however, is necessary to get the same protection in Outlook 2000 and Outlook 98.

To prevent the attack from succeeding when Web sites are viewed in IE 6, you can take different steps depending on whether or not you access the Internet via a proxy server:

• Block the URL protocol at the proxy server. You can filter out Web pages that use the “Location:” HTTP header to open a file on a visitor’s PC via the “URL:” protocol. For more information on how Windows uses the URL protocol, see the Microsoft Developer Network and the previously mentioned US-CERT and Secunia bulletins.

• Disable ActiveX and Active Scripting except for known good sites. If you don’t use a proxy server, you can prevent the attack by temporarily turning off ActiveX and Active Scripting in IE 6’s so-called Internet zone. For instructions on doing this, read CERT’s FAQ on the subject. (The document provides information on securing IE 5, which is not relevant to this exploit, but the instructions also work for IE 6.)

Many Web sites rely on active content in order to display their pages properly. You can work around this in a variety of ways. First, you can set ActiveX to Prompt rather than Disable. This is likely to subject you to many warning dialog boxes, however — sometimes more than one per Web page — when you visit a site that uses active content. To avoid this, you can add sites you know and trust to IE’s Trusted Sites zone, so they can use active content without displaying any warnings. To do this in IE, click Tools, Internet Options, Security, Trusted Sites, Sites, and add the name of any site you wish to put in this zone.

As an alternative way to protect your PC, Microsoft recently began recommending that IE users set the security level on all sites in the Internet zone to High rather than Medium. This, however, prevents many sites from working, including Microsoft’s own Windows Update site. You’d have to add Windows Update and many sites to the Trusted Sites zone if your Internet zone is set to High security.

Use a browser other than IE
Some Windows users have already switched to other browsers such as Opera, Mozilla, and the beta Firefox. Since the I-Lookup problem, to name one, is a vulnerability that exists only in IE, these alternative browsers are safer to use. I myself now use Mozilla whenever access to an online banking site is required, simply because the tiny market share of the non-IE browsers makes them less likely to be the target of “phishing” exploits. Be aware, however, that IE code remains on your PC even if you no longer use IE, so security holes in it still need to be patched whenever Microsoft releases a new security bulletin.

For information on XP SP2, which should improve the security problems in IE 6 and in other programs, read my report on the progress of this update in the Top Story at the beginning of this newsletter.

I’ll have more information in future issues of the paid version of Brian’s Buzz on Windows about fixes for I-Lookup–style Trojans as solutions, including XP SP2, become available.

To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send me a comment that I print.  

‘Moderate’ security threat in DirectX

MS04-016 (KB 839643): Microsoft released on June 8 two security bulletins as part of its periodic 2nd-Tuesday update process. The first involves a problem rated “moderate” that would enable a malicious person to crash older-style games that use Microsoft’s DirectX technology. The second involves Crystal Reports software, which is bundled into some Microsoft products and is described in a separate story, below.

The DirectX problem (not to be confused with ActiveX’s myriad problems) relates to Microsoft’s DirectPlay API (application programming interface). This API helps game developers create networked, multi-player games without writing their own networking code. According to Microsoft, a security weakness exists only when a game is running on a PC, and then only if the game is using older API calls. If so, an attacker could crash the game, forcing the player to restart the program.

Games that use more recently introduced API calls are not vulnerable to being attacked in this way, Microsoft says. The company, unfortunately, provides no list of affected and unaffected games.

The DirectX API is built into Windows Server 2003, XP, and 2000 with Service Packs 2, 3, or 4. A PC may also have the DirectX API if a standalone program using DirectX was installed on Windows 98 or Me. Windows NT 4 is not affected by this problem.

Gotchas with the update: I’ve found confirmed reports that MS04-016 has problems installing on Windows 2000 SP4 and possibly other machines. The fix involves adding the local administrator account and local domain user account to the Backup Operators group and rebooting. After that, the patch will install. More info

Also, MS04-016 seems to be one of the Microsoft patches that mysteriously doesn’t install at all in certain cases. A Microsoft spokeswoman recommends that affected users read a Knowledge Base article entitled, “You cannot install some updates or programs.” See KB 822798. More info

In addition, MBSA (Microsoft Baseline Security Analyzer) does not correctly detect whether or not a vulnerable version of DirectX is present in a system, and therefore whether or not the system needs to be patched. More info

My recommendation: Because the flaw merely crashes some older games, you may not want to install this security patch. Consider, instead, taking advantage of Microsoft’s stated workaround for the vulnerability: Don’t run older games that use the faulty APIs

For more information, see Microsoft security bulletin MS04-016. 

Crystal Reports allows remote file access

MS04-017 (KB 842689): In the second of two security bulletins issued on June 8, Microsoft announced that Crystal Reports and Crystal Enterprise, information reporting applications developed by BusinessObjects, allow attackers to remotely read files on a PC in certain cases.

Microsoft issued patches for both programs, although the Redmond company doesn’t make the apps, because a custom version of Crystal Reports is included in Visual Studio .Net 2003 and in Outlook 2003 with Business Contact Manager, an add-on that’s distributed on a separate CD with some versions of Office 2003. Also, the Crystal Enterprise 9.0 SDK is distributed in Microsoft Business Solutions CRM 1.2.

The vulnerability exists only if a system is running Microsoft’s IIS (Internet Information Server). In that case, a remote attacker could view and delete files on the PC, but only if the location of the files was known in advance.

You can work around the vulnerability by restricting anonymous access to the Crystal components (requiring a username and password to access the features on a Web page, for example).

My recommendation: I’ve found no reports of negative side-effects from installing MS04-017. If you’re running Crystal Reports or Crystal Enterprise — or Visual Studio .Net 2003, Outlook 2003 with Business Contact Manager, or CRM 1.2 — you should install the update.

For more information, see Microsoft security bulletin MS04-017.

How Microsoft lost the API war

Joel Spolsky, who’s written a series of articles under the rubric “Joel on Software,” has given birth to a major, thought-provoking piece. He argues that Microsoft has lost many, many developers by moving to new programming environments that aren’t downward-compatible with the old.

Spolsky contends that there are two camps within Microsoft: the group that keeps older software working in new versions of Windows, and another group that introduces all-new, incompatible software. He calls the latter group “The MSDN Magazine Camp,” since that’s where the new ga-ga stuff gets hyped. Listen up for a minute:

• “The first big win was making Visual Basic.NET not backwards-compatible with VB 6.0. This was literally the first time in living memory that when you bought an upgrade to a Microsoft product, your old data (i.e. the code you had written in VB6) could not be imported perfectly and silently. It was the first time a Microsoft upgrade did not respect the work that users did using the previous version of a product. …

  “With this major victory under their belts, the MSDN Magazine Camp took over. Suddenly it was OK to change things. IIS 6.0 came out with a different threading model that broke some old applications. I was shocked to discover that our customers with Windows Server 2003 were having trouble running FogBugz. Then .NET 1.1 was not perfectly backwards compatible with 1.0. And now that the cat was out of the bag, the OS team got into the spirit and decided that instead of adding features to the Windows API, they were going to completely replace it. Instead of Win32, we are told, we should now start getting ready for WinFX: the next generation Windows API. All different. Based on .NET with managed code. XAML. Avalon. Yes, vastly superior to Win32, I admit it. But not an upgrade: a break with the past.”

Spolsky’s insightful look at Microsoft’s (possible) major mistake is a long chunk o’ prose — but dang if I didn’t enjoy every minute of it. If you write any kind of software for anyone, this is the don’t-miss-it-or-you’ll-bet-your-company type of required reading. More info 

USDA classifies frozen French fries as fresh vegetables

Wait! Don’t dump that fast food! You can now eat French fries without guilt because the U.S. Dept. of Agriculture classifies them as “fresh vegetables” — and the government agency is winning court decisions when the idea is challenged.

“As bizarre as it may sound, a federal judge in Texas last week endorsed the USDA’s rules in a court case, saying the term ‘fresh vegetables’ was ambiguous,” writes the Sun-Sentinel, a Florida newspaper. “The USDA quietly changed the regulations last year at the behest of the french fry industry, which has spent the past five decades pushing for a revision to the Perishable Agricultural Commodities Act (PACA). The law was passed by Congress in 1930 to protect fruit and vegetable farmers.”

Wait! It gets even better! Chocolate-covered cherries may now qualify as fresh fruit (seriously)… More info