IE security patch breaks ASP.NET on XP

You can't trust that From line

The continuing rampage of the SoBig virus, the most widespread e-mail virus in history, has already resulted in more than 100 million bogus messages being sent around the world, according to security experts. SoBig, like many viruses, reads through people’s e-mail address books. It then inserts random addresses into the From line of each outgoing message to make it appear to be coming from a person that it’s not.

I was horrified when I realized that PC users might receive bogus e-mail messages that appeared to be sent from me. Because I’m in so many people’s address books, at the height of the attack I myself was receiving more than 500 copies of SoBig messages a day. I easily filtered these out without harm, but I could see that one of my BrianLivingston.com addresses had received a virus that had supposedly been sent from one of my own BriansBuzz.com addresses! (It hadn’t been.)

If you ever receive a virus or a piece of spam that claims to have been sent from one of my addresses, please don’t assume it had anything to do with me. My privacy guarantee assures you that I’ll never sell, trade, or give away your address or use it for any purpose other than sending newsletter updates. But I can’t stop viruses from impersonating my address or anyone else’s. To my readers’ credit, no one has ever written to accuse me of sending this junk, even though (by chance) many, many people must have seen my return address on a bogus message. I appreciate your understanding, if this ever happens to you. —Brian Livingston

IE security patch breaks ASP.NET on XP

By Brian Livingston

This isn’t the first time that a Microsoft patch has needed a patch. And it won’t be the last time, either. Fortunately, it’s not the most horrible or widespread “son-of-a-patch” I’ve ever seen. But it affects enough people that you may want to listen up.

I reported in the August 21 issue of Brian’s Buzz that Microsoft had released two new fixes that I strongly recommended you install. One update corrects a security flaw in Internet Explorer 5 and 6, while the other closes a hole in Windows Me, 2000, and XP. (This particular report was in the newsletter’s paid version.) The downloads are MS03-032 / 822925 and MS03-033 / 823718, respectively.

Warnings about these two updates were drowned out by the wailing and gnashing of teeth caused by the Blaster worm, the SoBig virus, and other highly publicized nightmares last month. But I want to emphasize to you the importance of installing the latest two fixes. The IE hole is rated “critical” by Microsoft, and the other flaw – while merely rated “important” – demands your attention because it affects so many versions of Windows.

Unfortunately, installing the IE patch (i.e., MS03-032) wipes out some flavors of Microsoft’s ASP.NET environment running on Windows XP Professional. If this problem affects you, any processes that touch ASP.NET applications on Internet Information Server running locally on an XP Pro machine fail with the message, “Server Application Unavailable.”

The configuration of Microsoft software that is affected is:

•   Windows XP Professional; and
•   Its built-in IIS Web server running locally; and
•   .Net Framework version 1.0.

A configuration is not affected if any one of the following is true:

•   Windows 2000 or Windows Server 2003; or
•   Windows XP Home; or
•   IIS Web server running remotely; or
•   .Net Framework version 1.1 or higher.

At press time, Microsoft was furiously trying to develop a fix that would correct MS03-032’s impact on .Net. By the time you read this, the Redmond company may have already posted a corrected patch.

Whether or not that’s already happened, Microsoft has provided a simple workaround that eliminates the bonking. If you have any machines that might be affected, first read the ASP.NET FAQ. Second, read the ASP.NET forum thread for more details. Then run the workaround described in the FAQ, which involves a small command file.

I’d like to acknowledge Gary Visser, who was the first reader to implore me to show both the MS bulletin number and the Knowledge Base number in my reports, as I’ve done a few paragraphs above. He and other readers correctly point out that both the Windows Update Installation History and the Add/Remove Programs applet display the KB number (for example, 822925), but not the bulletin number (such as MS03-032). This makes it hard to know at a glance whether or not a particular patch is running on a machine. I’ll do my best to include both numbers when Microsoft has two such interrelated documents.

Sheesh, cleaning up after Microsoft is fun, isn’t it?

Windows updates get freaky with AmphetaDesk

AmphetaDesk is a popular RSS (Really Simple Syndication) application that brings together “news feeds” from Web sites and blogs selected by the user.

Brian’s Buzz reader Steven Davidson, an AmphetaDesk fan, found that the application mysteriously stopped working after he installed several Microsoft updates:

• “Access to localhost (127.0.0.1) is broken on Windows 2000 SP4 and Windows XP Pro after the latest Winupdate-prescribed updates. … I just installed IIS [Internet Information Server] and now it’s working, so that will do for now.”

AmphetaDesk collects news feeds by using a localhost port at IP address 127.0.0.1:8888. Davidson’s reported behavior (especially the fact that installing IIS fixed his problem) seemed very strange. So I contacted Morbus Iff, the developer of AmphetaDesk, whose real name is Kevin Hemenway, the co-author of the new book, Mac OS X Hacks. What he’s figured out poses a challenge to Windows pros. I hope my readers can shed some light on it:

• “About three months ago, I got a flurry of reports that AmphetaDesk had stopped working in IE, with complaints that people were being denied outright. I get a similar report about once a week.

  “Solutions I’ve found that have worked partially for different people:

  •   Use a different browser (this would rule out the claim of a localhost issue, unless it’s something specific within IE).

  •   Use your static IP address for your Net connection (63.173.138.175:8888 instead of 127.0.0.1:8888, for example).

  •   One guy, who tried the above two and was desperate, installed IIS. The minute he did this, AmphetaDesk started working again (which furthers the localhost theory).

  “I’ve not come across anyone smart enough to check the built-in [XP] firewall settings, and not having XP myself, I don’t know how to instruct people to.”

Any readers out there game enough to solve this one? If I print your solution, I’ll send you a gift certificate for a book, CD, or DVD of your choice. To send me a tip about this or any other subject, visit WindowsSecrets.com/contact.

Windows 2000 SP4 co-exists fine with MS03-026, TruSecure now says

In the August 21 issue of Brian’s Buzz, I printed a paragraph based on a security alert by the TruSecure Corporation, a usually reliable source of computer advisories. The alert involved what would happen if a Windows 2000 machine with Service Pack 3 machine was upgraded to SP4. If Microsoft’s critical MS03-026 patch (KB 823980) had been applied to SP3 to protect against worms such as Blaster, TruSecure had said, installing SP4 would undo the protection provided by the patch.

After that newsletter was sent out, Russ Cooper, the editor of NTBugtraq and the author of the original TruSecure alert, wrote to me saying, “See the attached e-mail, we were wrong.”

The attachment said, in part:

• “The testing that was used to come up with this statement was wrong. I did the testing, so I know it was wrong. Last week, I rechecked this and found my mistake. …

  “TruSecure Corporation originally believed that Windows 2000 machines which were at SP3, then patched with MS03-026, and then updated to SP4, would become vulnerable to the attacks against RPC/DCOM (e.g., Blaster). Subsequent testing proved this not to be the case. Systems patched in this method will retain the MS03-026 patch after applying SP4 and do not need to re-apply the patch.”

The day after my newsletter had gone out, I sent to all subscribers a short, plain-text update that reported TruSecure’s change. A couple of readers subsequently expressed to me their opinion that the reversal had damaged the credibility of TruSecure, but I disagree. In a fast-changing and confusing situation, any news source can make an error. What’s most important is that the originator correct the mistake as quickly as possible, which TruSecure did.

My privacy guarantee (shown at the bottom of this newsletter) allows me to send out newsletter updates in between my regular issues, but I rarely do. The one on August 22 was my first in seven months of publication. I believe the importance of the TruSecure change warranted the extra e-mails. Numerous readers volunteered comments suggesting that they agree:

• “So many try to cover up mistakes and misunderstandings. Your integrity is refreshing.” –Lawrence D. Wilson
• “Professional IT people don’t need newsletters or information providers that get bits wrong and try to slip it by without saying anything because they are afraid it will hurt sales or subscriptions. We need newsletters that take their best shots and tell it like it is and try to be as timely as possible. If in the course of that, a bit here or there happens not to be clear, or even wrong or whatever, they come out with the correction/update clearly explained and labeled as such and then go on to the next story. That’s how you build a loyal readership and a reputation for fairness, accuracy, and speed, which (in that order) are the things you want to foster – trust me on this one.” –Greg Hecht
• “I commend you for the high level of integrity shown by quickly alerting your readers to this change. I am sure it will save hours of work for those that were previously misinformed.” –Roger Silva

I suppose I should let sleeping dogs lie and end it right there. But to keep my readers fully informed, I feel compelled to report to you that yet another “gotcha” involving Windows 2000 SP4 has been found by subscriber Matthew Evans:

• “In response to upgrading Win2K SP3 to SP4 and losing the RPC patch from Microsoft, I agree with your newsletter update, it does not affect it. On a side note, though, I have experienced that when removing SP4 to downgrade back to SP3, the patch is removed and must be reinstalled.”

I consider this to be an unverified anecdote, but I’m passing it along to you because the RPC patch is a very important one and there’s an easy way for you to check on its status. In Windows 2000 SP4, use the Add/Remove Software applet to see whether patch 823980 has been installed. If so, and if you then uninstall SP4, you should check the applet to determine whether 823980 is still present. If not, then the problem that affected Evans’ enterprise affects yours, too, and you should re-apply 823980 to remain protected.

RealOne Player needs patch against attackers

The top alert that I think you need to know about this week isn’t from Microsoft, it’s from RealNetworks. Versions of the company’s RealOne Player, RealOne Enterprise Desktop, and RealOne Desktop Manager, if unpatched, allow a malicious person to run code on a user’s PC if the user plays an audio SMIL file.

To its credit, RealNetworks released a patch for this hole on August 19 and a public advisory was sent out on August 27. If you have copies of any of the RealPlayer software mentioned above, I urge you to apply the patch immediately because a malicious SMIL file will play without any prompt (Yes or No) being displayed to the user. More info

Significant Microsoft bulletins this week:

• Windows 2000 Server won’t upgrade to Windows Server 2003 with Windows Services for UNIX installed
• Windows XP setup hangs because Sony Vaio driver must be updated first
• Opening an Outlook 2002 or 2003 archive.pst file in Windows Explorer deletes all archived information

Windows 2000 SP4 continues to generate more problems

I’m seeing reports of dozens of new quirks and incompatibilities between the recently released Service Pack 4 for Windows 2000 and other Microsoft and third-party software.

I’m preparing a special report on this large and complex subject for an upcoming issue of Brian’s Buzz. Meanwhile, I’d like you to take notice of some links that show the magnitude of the problem and give me your feedback. Here’s reader Jimmy Galvin:

• “I teach Microsoft Windows 2000 MCSE courses. Recently, I’ve been loading SP4 on my classroom machines and encountering a variety of difficulties. IIS has given us real problems and, in general, the equipment has slowed to a crawl or, in some cases, blue-screened.

  “Our classroom machines are all on the HCL [Hardware Compatibility List] and meet the stated Microsoft requirements for the classroom. (Microsoft does not support using the latest service packs in these classes, by the way.) This led me to check out a link in one of my other newsletters [see W2Knews.com, below]. Are you hearing a lot of problems with Service Pack 4?”

I sure am. Galvin and other readers have provided a series of links that go on for page after page with headaches that affect software of all kinds. Look at the content of these links for a sample:

• Microsoft’s official list of issues with Windows 2000 after applying SP4
• Windows 2000 SP4 problems collected by W2Knews.com
• Numerous weird reports assembled by NTHelp.com

As I work on an analysis of this situation for publication, I’d appreciate any details that you can contribute. Please visit my contact page to participate in the dialog. Thanks.

This site will give you a galloping good time

Reader Steve Hausman nominates today’s Wacky Web Week site as “a really clever use of Flash technology.” He’s absolutely right. Let the page download for a bit until you see four horses standing in front of a wooden fence. When the horses’ eyes start blinking, click each one in turn with your mouse. I didn’t know horses could sing in rounds! (This plays through your speakers, so turn them down if you don’t want snoopy co-workers in every nearby cubicle to come looking for the source of the singing.) More info

Don’t download online casino advertisements
The Wacky Web Week site that was featured in my July 24 issue – a parody of IE’s well-known “404 error page” – was good for a laugh. But the site apparently belongs to a link-exchange advertising network that I wasn’t aware of. Reader Larry Unger says that when he visited the page and then closed his browser window, a new window opened that advertised an online casino, and it attempted to begin downloading software known as Reefsurf. He canceled the process harmlessly, but wondered why I hadn’t mentioned this irritating behavior in my review. Either the site hadn’t had that feature when I visited it, or the pop-up window was frozen in its tracks by WebWasher, a free utility that I’ll write about in a future issue.