Microsoft goes antiphishing

Microsoft goes antiphishing, part 1

By Woody Leonhard

No doubt you’ve read about Microsoft’s new Outlook antiphishing software, built into the recent Office 2003 Service Pack 2. Some of the media coverage I’ve seen sounds like it was copied, verbatim, from the company’s press releases.

Suffice it to say that the ‘Softies haven’t solved the phishing problem. Haven’t even put a tiny dent in it. The Outlook 2003 anti-phishing feature, as it works today, doesn’t do much at all. But the foundation has been laid for a capability that could, some day, save your butt. Or at least your identity.

To see what Microsoft’s doing, and where we’re headed, we must first look closely at Outlook 2003’s junk e-mail filter.
 
How Outlook takes out the trash

When Outlook 2003 receives a new message, it scans the message and assigns it a number called the Spam Confidence Level (SCL). Outlook calculates the SCL by looking up “bad” and “good” words in Outlook’s dictionary, using a method called Bayesian analysis, as many antispam products do. But a lot of other factors besides the words themselves come into play.

For example, formatting alone (such as the formatting in HTML e-mail messages) can affect the SCL. So can the time of day that the message was sent, and much more.

Outlook uses the SCL to determine whether an incoming message goes into your Inbox or is banished to the folder called Junk E-Mail. If a message’s SCL goes over a certain number, the message gets shunted aside as junk.

On occasion, the filter messes up big-time. I don’t know about you, but even the last issue of the Windows Secrets Newsletter got bounced into my Outlook 2003 junk folder. Nobody knows how or why Outlook 2003 tags perfectly legitimate messages as junk. In the case of the last newsletter, it may be because our writers repeatedly use certain words (“virus,” “free”) that are frequently associated with junk. Microsoft doesn’t give out the details, for competitive reasons.

Self-serving tip: If you’re using Outlook 2003, take a moment right now to right-click on this message in the message list, then click Junk E-Mail and then Add Sender to Safe Senders List. That’ll keep Outlook’s mitts off your newsletters.

In the past month, I’ve discovered a handful of other nonjunk messages in my Junk folder — including some important stuff that I really needed to see. The bottom line strikes me as biblical: those who live by the sword die by the sword. Outlook 2003’s junk filter is a long, long way from perfect. The scanner that assigns SCLs is far from perfect. And all this forms the foundation for Microsoft’s new anti-phishing feature.

How antiphishing works — really

In order to get the anti-phishing feature to work, you have to download and install Office 2003 Service Pack 2 (see my diatribe in the paid version of the last issue of Windows Secrets Newsletter), and you have to download and install one of the recent Outlook 2003 Junk E-Mail Filter updates.

Once the pieces are installed, Outlook 2003 changes in three important ways:

1. The scanner tacks a new number on each message. As incoming messages come down the pike, the junk e-mail filter examines each message and assigns each message a new number. This is its Phishing Confidence Level (PCL), presumably calculated by analyzing hyperlinks within the message. (Microsoft isn’t talking about any of the details, natch.)

The junk e-mail filter then scans for all of the usual spam confidence level stuff — looking up “good” and “bad” words and the like — and takes into account the PCL when coming up with an SCL. The message gets branded with its PCL value, as well as its SCL. This new, improved, PCL-sensitive SCL determines whether a message ends up in your Inbox, or in your junk folder.

2. The behavior of messages in the junk folder changes. When you look at a formatted (HTML) message in your junk folder, Outlook takes away all the formatting in the message. This shows you only the text that sits behind the message’s pretty face. So, for example, if you have a message in your junk folder that includes a picture, Outlook won’t show you the picture. Instead, it shows you the link that pulls the picture in from the Internet. If you have a message that includes a hot link with the text, “Click here to go to Wells Fargo,” you’ll see that text, as well as the full-text link that sits underneath the text. This is the page on the Web you would actually go to if you clicked the link.

In addition, all of the links in messages in your junk folder are disabled. You can click until you’re blue in the face, but Outlook won’t let you “click through.” When Outlook takes control and refuses to show you the message as it was formatted, a bar appears at the top of the message saying, “This message was converted to plain text.” Click the bar and you can restore the message to its original HTML formatted glory — but the links still won’t work.

3. Some other messages can have their links turned off, too. Messages with a high PCL value (again, Microsoft isn’t giving any calculation details) that weren’t sent to your junk folder also have their links disabled. A bar appears at the top of any message mangled thusly saying, “Click here to turn on links. To help protect your security, links are turned off in this message.”

If you click on a link in a PCL-censored message, Outlook presents you with a message telling you how to turn links back on again, but it doesn’t “click through” to the intended destination.

Microsoft explains how Outlook 2003’s new phishing feature works and how to download it in an assistance document.

Note: Part 2 of Woody’s special report, which includes ways you can configure Microsoft’s antiphishing technology, is included in the paid version of this week’s newsletter — see below.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Turn your PC into a multimedia hub

Converting your PC into a media center is easier than ever. We’ve gathered the latest in PC system reviews to help you achieve entertainment nirvana. We’ve also updated our coverage of peripherals and components, including reviews of inkjet printers and a new crop of video cards. And then there are those must-have tech items to make you mobile: Bluetooth headsets and stereo headphones, USB Flash drives, and portable PCs.

		MULTIMEDIAPCs Editors impressed by Niveus Media Center Streaming Internet radio and personal video recording with remote control is all available through your PC. The editors of Maximum PC Magazine review the latest in media centers and declare Niveus’ Rainier Edition Media Center “the best of the batch,” with the Voodoo EPIC a close second. Niveus Media Center: Rainier Edition (Score: 8.0/10.0) Link to all ratings and full review
		MULTIMEDIAPCs HP’s offers dual processor for media needs Digital media’s power-hungry applications demand serious hardware to run smoothly, including dual-core processors. PC Magazine takes a look at the latest PCs for digital media power users and awards two systems its highest honor. HP Media Center 7160n Photosmart PC (Editors’ Choice, Score: 4.5/5.0) Sony VAIO VGC-RA842G (Editors’ Choice, 4.5) Link to all ratings and full review
		BLUETOOTHHEADSETS Jabra is CNET’s top-rated headset The number of single-ear headsets for Bluetooth-enabled phones and PCs has dramatically jumped lately. In CNET’s review, strangely, it’s the oldest unit tested — the Jabra FreeSpeak BT250 (photo, left) — that captures the top spot from a bunch of newbies. Jabra’s FreeSpeak BT250 (Editors’ Choice, Score: 8.3/10.0) Plantronics Discovery 640 Bluetooth (Editors’ Choice, 8.0) Link to all ratings and full review
		BLUETOOTHHEADSETS Explorer 320 headset rings in Editors’ Choice So many Bluetooth earpieces are coming out that the five units tested by Laptop Magazine didn’t include any of the ones CNET rated (see above). After a week spent wearing each model, Plantronics’ offering outranked the others. Plantronics Explorer 320 (Editors’ Choice, Score: 4.0/5.0) Link to all ratings and full review
		BLUETOOTH STEREOHEADPHONES Plantronics’ headphones do it all wirelessly After trying Bluetooth earpieces (see above), Laptop Mag turned to wireless stereo headphones. These babies not only let you listen to Bluetooth-enabled MP3 players and laptops in full stereo, they also handle cell phone calls. A Plantronics model scores again. Plantronics Pulsar 590 (Editors’ Choice, Score: 4.0/5.0) Link to all ratings and full review
		USB FLASHDRIVES Two USB winners take AnandTech Shootout Exhaustive tests have been poisted by AnandTech on an amazing number of USB Flash drives — 20 in all. All Flash drives aren’t alike, with the Lexar and Kingston models delivering the fastest read/write times. Kingston’s encryption/decryption doesn’t reduce performance, AnandTech says, while the Lexar offers both a public and an encrypted partition. Lexar JumpDrive Lightning (1GB, Editor’s Choice Gold) Kingston DataTraveler Elite (512MB, Editor’s Choice Gold) Link to all ratings and full review
		INKJETPRINTERS New Canon inkjet takes No. 1 spot PC World adds new leaders to the inkjet printer wars this month, the latest models from both Canon and HP the magazine’s "best buy" awards. Canon Pixma iP4200 (Best Buy, Score: 4.0/5.0) HP Deskjet 5440 (Best Buy, 3.5) Link to all ratings and full review
		VIDEOCARDS nVidia dominates ATI in video showdown Maximum PC Magazine pits 10 ATI and nVidia video cards against each other in five price categories. nVidia’s dual 7800- or 6800-level processors outshine the competition at the high end. ATI doesn’t even have a product in the top ("under $600") price/performance category. Asus Extreme N7800 GTX (Under $600, Kickass Award, Score: 10.0/10.0) PNY Verto GeForce 7800 GTX (Under $600, Kickass Award, 9.0) BFG GeForce 7800 GT OC (Under $500, Kickass Award, 9.0) Link to all ratings and full review
		ULTRAPORTABLENOTEBOOKS Portégé ultralight outranks all in PC Mag tests PC Magazine helps lighten your travel load by reviewing the latest ultraportable notebooks. The five tested models all come in under 4 lb. (1.8kg) without sacrificing the tools you need to be productive and secure. Toshiba Portégé R200 (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		CONVERTIBLE TABLETPCs Lenovo tablet takes Editors’ Choice honors PC Magazine also reviews another class of portables — the tablet PC. The convertibles in the roundup range from 2 to 7 pounds (0.91 to 3.17kg). Lenovo’s first attempt at a tablet after buying IBM’s laptop unit is the model that grabs the editors’ attention. Lenovo ThinkPad X41 Tablet (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Old programs no longer work the same way

By Brian Livingston

Those of us who’ve been using PCs for a few years know that some old software programs don’t work the same way — or won’t work at all — on today’s machines.

In today’s section of tips, we find ways to get back Wordpad’s original ability to save files in Word format, debate the necessity for regular disk defragmentation, and discuss ways to remove previous versions of ZoneAlarm if a newer version complains.

How to make XP’s WordPad save Word files

I hate it when a faithful old program loses a feature I’d come to depend on. A reader named Jim writes:

• “The ability to save in a Word 6 format has long been a help and convenience to those who do not own MS Word.

  “WordPad XP still reads a Word file — it just won’t save it. The WordPad in WinXP is somewhat smaller in size than the WinMe version, which does save a document as a Word 6 file.

  “To solve this irritant, I copied WordPad from WinMe, putting it in a directory that was in the Search Path, but did not contain the XP version on WordPad. Then I made a shortcut to it, naming it WordPad Me. This [separate file location] was necessary because when I attempted to delete the XP version of WordPad, it re-created it!”

This is a great quick fix for those who don’t wish to shell out hundreds of dollars for Microsoft’s Office suite. If you just need to read Word files, and not write them, however, try Word Viewer, which is a free Microsoft download.

If you want to be able to write Word files in XP without buying Word, but you don’t have an old version of Windows Me available, you could also consider OpenOffice.org (OOo). It’s a downloadable open-source suite that has near compatibility with Word .doc files as well as several other proprietary formats.

Are defrags of fast disks a waste of time?

With today’s high-speed fixed disks, PC users don’t have to wait for data as much as they did in the early days of PCs. That raises some interesting questions about the need for defragmentation. Reader John Meyer writes:

• “Here’s my question: Can anyone find unbiased, actual before/after measurements that show any improvement resulting from running a [disk] defragmenter? I’m talking about tests on actual users’ disk drives, not some pathological test designed to kill the disk.

  “I’ll bet dollars to doughnuts that a real-life test would show negligible — possibly zero — gains in performance. This is especially true in a system that has multiple tasks running, each asking for information from the disk at the same time. Multiple-tasks-reads result in a similar situation to defragmentation, where the read will not come from contiguous sectors. There is nothing a disk defragger will do to stop or improve this situation.

  “Bottom line: Disk defragmentation software is the appendix of computer software, a vestige of an earlier stage of development that is no longer needed.”

It’s true that disk defragmentation was once an important operation in maintaining system performance but may now seem to be “useless.” Despite this, defragmenting a disk always improves its performance somewhat. The issue is whether a human would notice the difference.

Users of the old FAT32 file system will find more rewards in defragmenting their drive every few weeksthan NTFS users, who may not detect any gains in performance.

Surprisingly, it’s truly hard to find scientific, impartial studies of the benefits of defragmentation for a large sample of actual Windows users. PC World recently reported that a defrag of one typical office computer yielded no significant gain in performance, but that’s not a comprehensive sample.

Readers, let me know if you’ve found reliable, large-scale tests of disk defragmenters and any performance gains.

Free tool removes older ZoneAlarm versions

The recent upgrade from ZoneAlarm 5.x to 6.0 was not a completely smooth one, as I reported extensively in the Sept. 15 newsletter. Zone Labs, the publisher of ZoneAlarm, acknowledged that some buyers of 6.0 who installed it over 5.x experienced problems. The company urged those who were having difficulty to uninstall the older version and do a clean install of the new one.

Reader Christopher Wetmore likes a utility that comes in both a free version and a paid upgrade that does the work of uninstalls for him:

• "I’d strongly advise that anyone trying to remove any previous version of ZA, download and run the free version of jv16 PowerTools (available from Macecraft.com).

  “Open up ‘Registry Tools’ on the start-up menu and then use ‘Installed Software.’ Scroll down to [and remove] any entries for either ZoneAlarm, Zone Labs, or ezTrust.

  “Reason: ZA’s uninstaller leaves a few registry entries behind, which in my opinion, has gummed up a ‘fresh’ install.”

If you’re not having problems, you can use ZoneAlarm’s normal uninstall routine to remove an old version. Or read my uninstall advice on ZoneAlarm for links to complete uninstall instructions.

Readers Jim, John, and Christopher will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed.

^

Microsoft goes antiphishing, part 2

By Woody Leonhard

The three changes Office 2003 SP2 makes to Outlook, which I describe in part 1, operate quite independently. The overall effect is really weird, to me anyway.

For example, pictures and hot links are turned off for messages in your junk folder. But if you drag a message from your junk folder to any other folder, suddenly the pictures and links work (with one exception: see below).

Contrariwise, if you drag any message into your junk folder, Outlook 2003 won’t show you its pictures and won’t let you click through on the links. The pic-and-link-nixing operation depends entirely on the location of the message. Doesn’t matter one whit what’s inside the message, or how high the message’s PCL or SCL score.

Messages with a high PCL number are identified in your Inbox (they’re branded “Click here to turn on links…”) but they aren’t identified in your junk folder. Thus, there’s no way to tell if a specific message in your junk folder flunked the Phishing Confidence Level test, short of dragging that message to your Inbox, and looking for the Click here to turn on links… stripe at the top of the message.

Working with the changes

You can prevent Outlook from blocking links on PCL-censored messages by clicking Tools, Options and clicking the Junk E-Mail button on the Preferences tab. This brings up the Junk E-Mail Options dialog box. There, one option says, "Don’t turn on links in messages that might connect to unsafe or fraudulent sites. To help protect your security, we recommend that you leave this check box selected.”

If you uncheck that box, any message that’s been flagged Click here to turn on links… because of its high PCL number will look and act just like any other message. Specifically, with this box unchecked, any message in your junk folder will get its pictures and links snipped. But any message outside your junk folder will have pictures and links, and the Click here to turn on links… stripe doesn’t appear, regardless of whether or not the message passed muster with the PCL filter.

Perhaps the most confusing of all: Outlook doesn’t go back and re-scan your old messages to assign them a PCL number. So while the pic-and-link-nixing behavior for the Junk E-mail folder applies to any message, old or new, the Click here to turn on links… stripe only appears on new messages. That’s only the ones that have gone through the PCL gauntlet after you upgraded to SP2 for Office 2003.

Therefore, that check box in the Junk E-Mail Options dialog, in addition to being very puzzling, only applies to messages received after you performed the upgrade.

Confused? I am.

Implications for you and me

At first glance, the new antiphishing feature is just silly. It prevents you from clicking through on links inside messages that are in your junk folder. As if you were going to randomly click on links in spam.

Upon a second glance, it becomes apparent that the hooks are all there to provide us with a modicum of protection against phishing. The hooks just aren’t working at all well yet.

I’ve received a handful of messages so far that failed the PCL filter test. Only one of them was even remotely connected to phishing.

Almost all of my messages with high PCL ratings were quite innocuous. My weekly list of specials from Alamo Rent-A-Car, for example, has been branded as a potential phisher. One of my co-authors, Ed Bott, reports on his blog that his first message that Outlook pegged as phish wrap came from the Microsoft U.S. OEM System Builder Newsletter. If you look through your inbox for the telltale Click here to turn on links… stripe, I bet you’ll be surprised, too.

In the meantime, I’ve received hundreds — if not thousands — of phishing messages that weren’t caught by the PCL filter. They got through without a burp.

Clearly, so far, the Outlook antiphishing gods are crazy.

Some day, Microsoft may create an antiphishing feature that’s worth the effort. It isn’t clear to me how they’ll come up with an evaluation scheme that’s updated monthly and works worth a tinker’s tink. Still, it could happen.

In the meantime, realize that the current state of antiphishing “protection” in Outlook 2003 amounts to little more than severed links in e-mails that are already identified as junk, where most people would never go clicking anyway. That’s a foundation that may prove useful eventually, but today it’s mostly a lot of marketing fluff.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Head-turning cross-site scripting emerges

By Chris Mosby

Recently the very popular social networking Web site MySpace was completely taken down due to the first self-propagating cross-site scripting (XSS) worm. How did this happen? It all began as a little prank by one user — until the joke got out of hand.

Our story starts when “Samy” first decides to get around what he calls the “limiting” nature of what you can do to customize a MySpace profile. After succeeding at doing just that, he decided it wasn’t enough.

Samy wanted to be more popular and get more friends on his profile. He eventually discovered a way to control a Web browser that would cause anyone who merely looked at his profile to automatically add him as a friend and to their “List of Heroes” without their knowledge. This was done by using an XMLHTTPRequest — a JavaScript object used in AJAX and Web 2.0 applications — to execute code that would normally be blocked. To avoid blocking by MySpace, all he had to do was split the word “JavaScript” in his script into two words and list them on two different lines.

That still wasn’t enough for Samy. He then figured out a way to get his malicious code to also — on top of everything else — copy itself into the profile of everyone who viewed his profile. That meant every user who viewed a newly infected profile would also add Samy as their Friend and Hero.

That’s when things really got out of hand. Within eight hours, Samy had 200 friends. Five hours later, it was over 6,300. After 20 hours, Samy had over one million friends, with another thousand being added every few seconds.

It took only one more hour before MySpace was taken down, the worm was removed from all of the user profiles it had infected, and Samy’s profile was deleted.

This is why security professionals are so interested in this case. Though this time this XSS worm was not really destructive, it could be next time.

The success of this exploit has really opened the eyes of the security-conscious few to a new means by which a worm can spread. The technique, remarkably, works without installing any code on a computer.

For more info on this, please see the technical writeups in BetaNews, SecurityFocus, Google Blogoscoped, PCWorld, ComputerWorld, and News.com.

IE has unpatched XML vulnerability

Secunia reported an XMLHTTPRequest vulnerability in Internet Explorer at the end of September that’s yet to be patched. It’s unknown if this is directly responsible for allowing the MySpace worm to work, but I’m personally sure it helped things out a great deal.

Secunia suggests that you set your IE security settings to “High.” But we all know that that isn’t the best option. IE pops up a maddening number of warnings when its security is set to High, but it isn’t truly secure even then.

Firefox, my preferred alternate browser, ironically also had a similar vulnerability discovered recently. Unlike IE, however, the flaw was patched within days when version 1.0.7 of the browser, the current version, was released.

As I’ve said many times before, I suggest switching to a browser other than IE, such as Firefox, until IE’s latest vulnerability can be patched.

If using another browser is not an option for you, you should consider following Secunia’s “High Security” suggestion. But I’d prefer that you secure IE using Brian’s recommended configuration, and that you also use at least the recommended Security Baseline shown above.

XSS vulnerabilities commonplace on the Web

It seems that cross-site scripting (XSS) vulnerabilities are unfortunately widespread on the Web. The BetaNews article on MySpace includes this quote:

• ” ‘Found in over 90 percent of Web sites, Cross-Site Scripting vulnerabilities are by far the most common security issue,’ Jeremiah Grossman, cofounder and CTO of WhiteHat Security, told BetaNews. ‘The incident with MySpace illustrates the dangers presented by XSS vulnerabilities and underscores the importance for organizations to fix these issues.’ “

  ” ‘Those who do not, especially the online financial institutions and community Web sites, are prime targets,’ added Grossman. But Samy noted that MySpace isn’t the only party to blame for the vulnerability, stating that browser makers also need to do a better job with security.”

After reading this, I did a little research. A search for cross site scripting vulnerability on Secunia’s Web site got me 533 vulnerability listings. On SecurityFocus, it got me 990. Not very pretty.

That just goes to show you that the problem is two-fold. A secure browser alone is not enough. Web developers also need to step up and write better code in their Web applications.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

^

'Buggy patches' aren't really the problem

By Susan Bradley

I should have known it was going to be an unusual week when two wooden mouse traps disappeared in my garage. I thought I had one kind of pest problem at first — cute, furry little mice in my garage. It turns out, I probably had a different critter: a rat.

This week’s review of “what’s up with patching” feels a bit like my home garage experience with my furry little friends.

To start with, all eyes were turned to the “buggy patch,” as the headlines read. That’s MS05-051. But a week later, I’m thinking these issues are more like my unseen mice.

After reviewing the literature and reading all the patch communities, I’m still unsure whether the issues that were seen by end users and consumers regarding that patch were “the mice” or an unknown rat. The rat, in this case, would be Windows Update and Microsoft Update. When these two upgrade tools have problems, they give cryptic, confusing messages to end users.

I’ll explain my “mice” and “rat” theories below. But first let me proffer an apology to a forgotten security bulletin from the last issue.

The forgotten security bulletin

First a shout-out to a Windows Secrets reader named John. He “outed” me on the fact that I forgot to mention a particular security issue in my Oct. 13 column. My policy here at the firm is to stay up on the current service packs. But I missed counting the MS05-044 bulletin.

This is a patch rated only “Moderate” in severity by Microsoft. The issue affects FTP and does not affect users of Windows XP SP2 and Windows 2003 SP1. Thus, while the rest of you were patching for 9 issues, I only had 8 to do on my workstations that I was checking against the bulletins.

Fortunately, MS05-044 was not one of the two patches causing all the fuss this month. But it does point out that not every platform gets the same patches — even when you’re running the same base version of the operating system.

Now to clarify that ‘buggy patch’

The headline at InformationWeek read “buggy Windows patches.” But I’m not convinced that the issues that were seen in the newsgroups and communities were the result of bugs. Instead, I suspect admins who didn’t properly test the patches when using nondefault security templates.

Some security guidelines for businesses, such as the recommendations provided by the Center for Internet Security, say that you should “harden” or “tweak” your computers to make them more resilient. Hardening basically means to change Microsoft’s default settings in the operating system in order to increase security, especially in older operating systems like Windows 2000.

Many of the recommended changes are now native to Windows XP and Windows 2003. Microsoft itself provides additional guidance for security “tweakages.” In fact, the Redmond company just released an updated version of its guidance for Windows XP.

In my role as a volunteer at the Center for Internet Security, I’ve discussed these “hardening settings” that differ from the defaults. I remember conversations about whether Microsoft supports their security hardening settings. Microsoft KB article 823659, in fact, explains several ways that changing these settings can cause issues.

We certainly saw these issues this time. KB 909444 covers the specific problems. But, while looking over the newsgroups that reported issues people were having with patching in this go-round, I’m not sure all of the patch issues were a result of this “mouse” of an issue.

I’m not persuaded, for example, that the people I see reporting problems in their home PCs had caused their problems by adjusting their “ACLs.” One article described a solution, namely adjusting the permissions on the %Windir%Registration folder. But this deep analysis left many posters scratching their heads. They weren’t even sure which folder %WinDir% is. So I don’t think they’d made any ACL changes that could have caused their issues.

In this case, I think all the headlines about “buggy” patches that couldn’t handle customized security settings did a grave disservice to the public. I’m not convinced that the problems I’ve been tracking were caused by permissions issues, at least not for everyone who experienced a problem with this patch.

What could be the real ‘rat’

I think the true rat is not this patch, or even the issue discussed in KB 909596 regarding the DirectX patch. Instead, I think the problem that most admins face each month is in the deployment of the patches. I think the real issue is in the deployment engine.

In the Windows Update newsgroup every month, right after Patch Tuesday, we start seeing telltale subject lines like Error 0x8007005 and 0x8007041D. These cryptic messages lead to frustrated end users.

There may be useful hints inside the Microsoft Update link called Get help and support. But I think it would be much more helpful if the error screen would be more like my Dr. Watson experiences.

Dr. Watson sends me to a recommended resolution or a helpful suggestion about the underlying problem. Instead of a cryptic line like “You may receive error 0x51F when you try to install an Office Update,” it jumps me right to the answer included in KB 875556.

I think if I have issues with the underlying patch engine of the operating system itself, the OS should run me though a troubleshooting wizard. This would reregister the necessary DLLs and stop and restart the services as needed. I wouldn’t have to wade through cryptic log files trying to determine what failed.

While my job at the office is to be the Patch Manager, your job isn’t, or shouldn’t be. This is one area that I think needs to be made much easier for the end user.

Great, more GB in Exchange for junk mail

For many years, those of us using Exchange 2003 — Microsoft’s mail database for small and medium firms — were stuck with only 16 gigs of storage. In this day and age of e-mail retention, spam, and what not, 16 gigs was a tight fit even for small firms.

One consistent request from customers in the last few years was for Microsoft to increase the size of Exchange’s mail storage. 16BG had to go as a limit. And go it did.

Now, with Exchange 2003 Service Pack 2, the size of the database is increased to 75 gigs. However, this size increase isn’t immediate with merely the application of the service pack. Instead, your initial size is increased to a maximum of 18 gigs. Anything above that must be configured in the Registry.

The Ehlo blog discusses some size considerations, so read and review it. In addition, check the release notes before changing these settings.

Furthermore, you must remove the earlier version of the Exchange Intelligent Message Filer and download and apply KB 898060 before installing this service pack. Then enable the new IMF. After the installation, there’s yet another patch, KB 905214, which needs to be obtained if you enable Sender ID Filtering.

At this time, that patch is available for free only by calling Microsoft Product Support Services. I hope they make this a more easily downloadable patch in the future.

The service pack is supported on any Exchange 2003 system. That includes the Exchange 2003 that’s found in Small Business Server 2003. For detailed information, check out Vlad Mazek’s step-by-step visual guide.

Office 2003 SP2 pulled off autoupdate

Woody Leonhard described problems with the Office 2003 SP2 deployment in his column last issue. If end users had deleted their "local installation point," Microsoft Update was unable to handle the resulting issue in a smooth manner.

As a result, Microsoft has now announced that it will not automatically deploy Office 2003 SP2. You’ll now have to roll out SP2 as I described in the last newsletter. That means going to Microsoft Update manually and downloading the service pack.

What’s up with you?

I want to hear from you. What are your biggest issues with patching? Were you affected by the so-called "buggy patch?" Are you an administrator who used a Microsoft-supported security template "as is" on your Windows 2000 boxes and were affected?

If so, I’d like to hear from you. Is your monthly Windows Update or Microsoft Update experience a slog though a bunch of error codes? Use the contact page to let me know.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

How's Microsoft's security lately?

By Ryan Russell

There’s been a trend lately with Microsoft’s "critical" patches. You may have noticed that a significant portion of the time, patches the company rates as Critical aren’t critical on Windows XP SP2 and Windows Server 2003 SP1. This is certainly no accident. With these releases, in my opinion, Microsoft has achieved some actual payoff for its security efforts.

There are a number of key principles that security people preach constantly. These include defense-in-depth, disable unneeded services and features, default to restricted, and fail closed.

Notice that these are all secondary failsafes. These are the measures that will (hopefully) save you to some degree when your primary defense falls. Your primary defense is having code without security vulnerabilities.

I’m not here to try and guesstimate which of all the operating systems in the world have fewer bugs. I can’t tell you for sure if many eyeballs make for shallow bugs. I doubt whether it’s even possible to definitively say whether one codebase has fewer bugs than another.

But that’s not really a useful discussion here, anyway. You’re reading this because you’ve chosen Windows for at least some portion of your work, and you want it to work for you.

I do believe that making security a primary goal of your development efforts makes a huge difference in the security of the end product. It makes intuitive sense, and I’ve gathered enough anecdotal evidence over the years to convince myself that security as a development goal is critical.

Well, great. Microsoft has made it so, correct? In 1999, they held a “hacking contest” prior to the release of Windows 2000. (Generally, I’m not a huge fan of such “contests,” but in that particular case it was actually needed and did some real good.) In 2002, Microsoft declared that all developers were to stop work and spend time doing source code review.

Around 2003, Writing Secure Code was declared required reading at MS. The company implemented mandatory secure programming training for all programmers and added features like the /gs stack protection switch to their compiler.

I spoke with one of the book’s authors, David LeBlanc, who worked for Microsoft at the time. He confirmed the use of his book and the fact that he oversaw some of the training. Microsoft continues to increasingly treat security as a corporate strategy, a feature to be sold, much as they successfully sold “The Internet” a number of years ago.

Necessary but not sufficient

I went from being skeptical about Microsoft’s commitment to security to cheering them on today. I’m no longer worried that they’re just paying lip service. I’m convinced that Microsoft is making real efforts and that these efforts are making a difference.

But we still had another round of security bulletins two weeks ago, didn’t we? And that includes versions of Windows that are new enough that they should have been able to benefit from the new, secure code.

I firmly believe that for anything even close to the size of Windows, you’ll never exorcize all bugs. There’s just too much code. Plus, Microsoft is saddled with the burden of backward compatibility.

Having a fallback defense is mandatory

So I reiterate my point: Your primary line of defense — having secure code — isn’t good enough. You absolutely need secondary lines of defense.

In XP SP2, you’ve got default firewalling, services that are only reachable over loopback, disabled services, a more paranoid Internet Explorer, and stack protection. Yes, these are also reasons that it was a somewhat painful upgrade for many, but the benefits were well worth it. It’s been over a year. You’ve gotten through it by now, haven’t you?

The fact that these features are all on by default is probably equally important to the success of XP SP2 (and 2003 SP1, which I put in the same category). If you’re like me, you’re probably the friends-and-family computer guy for most of the people you know. I don’t think any upgrade from Microsoft has saved me more trouble, personally, than SP2.

A few of the new features that jump out at me are autopatching, granular firewall exceptions, antivirus nagging, IE pop-up blocking (plus generally ratcheting down the security screws in IE), and cutting down on the RPC services.

And it’s not just that the services are available, it’s that they are all turned on by default. They are on for nearly every copy of XP that now goes out. Not only the computers I have to go put my hands on, but also any new users, such as the guy who would have becomes one more node in a botnet.

Please, sir, may I have some more?

I understand the concerns over Microsoft’s business practices. I understand that Microsoft is everyone’s favorite whipping boy for security holes. I get the irony regarding Microsoft producing antispyware and antivirus tools. I understand that all these features were pioneered in third-party products and that those tools still do a more comprehensive job. I don’t want to discourage anyone from obtaining the better protection methods afforded by such tools.

But it is incredibly important that at least the basic versions be available for all users, and on by default. I want Microsoft to go even further with these efforts. Heck, I’ve been an advocate for a deadman’s switch in Windows for some time. Haven’t patched in two months? Then you fall off the Internet, except for being able to browse to windowsupdate.microsoft.com. I might be a little ahead of my time with that, though.

I don’t think Microsoft’s going to put the makers of ZoneAlarm out of business any time soon. It’s a great product, and does far more than XP’s built-in firewall. But having a minimally-functional firewall right in the box was a winning move for Microsoft. Yes, I’m aware that various types of firewalls have been bundled for some PC buyers. But the XP SP2 firewall is the first one my mom can use.

To be completely blunt, if you want to implement disk compression in current versions of Windows, you don’t use Stacker any more. In a few cases, there’s something to be said for Microsoft muscling out the little guy. I think practicality dictates that Microsoft be allowed some leeway for user-protection features.

Students, this is your next assignment

My little lecture won’t stick without some homework to reinforce the lesson. Here’s what I want you to do: I want you to encourage Microsoft to press forward with more of the aggressive, security-in-depth kind of updates. This means you have to get rid of Win9x and NT 4 and all of that earlier stuff. And you have to nag your software vendors into supporting updates like XP SP2 immediately, if not sooner.

For those of you who’ve been around for a few years, do the following exercise with me. Remember having to re-apply service packs to NT4 and having to re-apply hotfixes every time you installed a new system software component? Now compare this with the same process on Windows XP and 2003, which is much easier. Tell me whether or not Microsoft has made any improvements. Class dismissed.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Police squash pumpkin threat

Reuters reports that heavily armed Venezuelan security forces surrounded several Halloween-style pumpkins that were found on the streets of the capital carrying protest messages against President Hugo Chavez. The leering vegetables "could have harmed someone," police commissioner Jesus Gonzalez told reporters.

If your Halloween pumpkins aren’t as fear-inducing as the ones in Caracas, well, get to work. Your first stop could be Pumpkin Carving 101, a Web site loaded with instructions and stencil patterns, such as Flicker The Cat (photo, left). Pumpkin-Carving.com