MS03-032 / 822925 patch doesn’t work

MS03-032 / 822925 patch doesn't work

Son of a patch, it happened again.

I reported in the Sept. 4 issue of Brian’s Buzz that a patch for Internet Explorer 5 and 6 that was rated “critical” by Microsoft should be installed immediately: bulletin MS03-032 and Knowledge Base article 822925.

After that newsletter was released, Microsoft acknowledged that the patch does not successfully close one of the serious flaws that it was intended to correct. eEye Digital Security’s chief hacking officer Marc Maiffret was quoted in a News.com article as saying that the remaining flaw is “so easy to exploit” that it could soon wreak havoc.

The software giant on Sept. 8 added text to its MS03-032 bulletin saying, “Microsoft is investigating these reports and will re-issue this bulletin with an updated patch that corrects these problems.” The Redmond company is also trying to clean up the fact that installing MS03-032 breaks ASP.NET applications running locally on Windows XP machines, as I described in the Sept. 4 issue. Microsoft gave no estimate of the date when a corrected patch might become available.

The security hole that still exists after the installation of the MS03-032 patch is critical because a PC can be taken over by a hacker if the PC user merely views a malicious e-mail or Web page. As eEye describes it in an alert, even IE users running Windows Server 2003 may be vulnerable. IE on Server 2003 cannot by default view ActiveX content, which is a feature of many Web pages. But many users “may have chosen to reactivate the ability to view active content,” eEye says.

Until Microsoft has an updated patch available, you can disable ActiveX content in IE to guard against hackers taking over your PCs. One way to do this in IE involves clicking Tools, Internet Options, Security, then selecting the Internet Zone, clicking the Custom Level button, and disabling ActiveX.

To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Possible solutions for AmphetaDesk and Windows updates

In my Sept. 4 issue of Brian’s Buzz, I printed comments from Kevin Hemenway, the developer of AmphetaDesk, an RSS news aggregator. He and another Brian’s Buzz reader reported that a patch that is currently being downloaded by Windows Update (they don’t know which one) prevents AmphetaDesk from accessing localhost port 127.0.0.1:8888. This problem stops the application from collecting feeds over the Internet.

I asked other readers to hlep. We don’t exactly have a solution yet, but Robert Chapin provided the best troubleshooting tips by sending in the following comment:

• “I’m not familiar with AmphetaDesk, but here are the things I’d check if IE is taking issue with the loopback address:

  #1 – Most Important. Is this software using the ‘localhost’ name or the 127.0.0.1 ‘loopback’ address? They’re different, as you know, because one of them requires only a correct routing table entry. The other ‘localhost’ name requires a special entry in:

%systemroot%system32driversetchosts

If that entry is missing, then neither the DNS nor the WINS/NetBIOS lookup will be successful.

Certain interactions between the DNS and LMHOSTS lookup systems could also interfere.

#2. IIS [Microsoft’s Internet Information Server] is one of those things that really gets its fingers into every part of the OS, especially when it comes to networking. It would be good to do a thorough check of all IP routing, filtering, and network configuration before and after the problem goes away.

#3. If 127.0.0.1 doesn’t work, then what about 127.0.0.2? Is 127.0.0.1 responding to pings? Is IE in one of its Offline moods, or set up to use a proxy, or other goofiness?”

I’m pretty sure AmphetaDesk is using the “localhost” name, not the “loopback” address, but that’s an interesting factor to test, certainly.

Reader Jonathan Spencer provided a comment indicating that other applications may be running into the same problem, whatever it is:

• “I recently installed Spamihilator, which uses localhost as its intermediary point for de-spamming mail. After I recently ran Windows Update (and installed Windows 2000 SP4), Spamihilator stopped working. I reinstalled it and it’s now OK, but this looks like it might be related to the same issue.”

I’ll include more information in Brian’s Buzz on Windows if and when we can determine the exact cause of the problem and its solution. I’m sending readers Chapin and Spencer a gift certificate for a free book, CD, or DVD of their choice for sending me comments that I printed.

MS03-039: Here comes Blaster 2.0

This month has been an exceptionally heavy period for serious new Microsoft warnings of holes and patches to close them, as you can see from the three examples highlighted in the “other bulletins” section below. But the most alarming news is that there’s another example of the same kind of hole that produced the devastating Blaster worm this summer.

According to Microsoft, a new flaw has been found in the Remote Procedure Call (RPC) protocol found in Windows NT, 2000, XP, and Server 2003. This is the same protocol that allowed Blaster to infect millions of PCs, causing many of them to reboot after a 60-second countdown, without the user even visiting a malicious Web site or previewing an e-mail. But this month’s flaw is a new, distinct one.

The security firm LURHQ Corp. announced in an alert on Sept. 16 that working hacker exploit code was already available on the Internet to use this hole to attack Windows. The advisory points out that Blaster swept the Internet in August only two weeks after exploit code first became public.

Even if you’ve installed Microsoft’s patch against Blaster (MS03-026 / 823980), you must now install MS03-039 / 824146. If you haven’t installed MS03-026, at least MS03-039 applies the earlier patch as well.

The most important other bulletins this week:

• MS03-035 / 827653: A Word document can silently run malicious macros even if Word is configured not to automatically run macros.
• MS03-036 / 827103: Every version of Microsoft Office, Front Page, Publisher, and Works can give an attacker control if a single document is opened.
• MS03-037 / 822715: Opening a single document in any app that can run Visual Basic (Office 97-2002, Visio, Great Plains, etc.) gives an attacker total control.

How to shut off the Passport reminders in XP

Users of Windows XP know about its incessant calls for you to register for a Microsoft .Net Passport. This is an insecure and privacy-violating method for Microsoft to get your e-mail address, among other things. I’ve complained about this in previous InfoWorld columns (see Sept. 2001 and Oct. 2001), so I won’t recite a list of Passport’s problems again here.

What interests me is how to shut off the maddening reminders. Reader Scott Yorkovich heard about the secret and sent the tip to me.

A single Registry entry does the trick. In XP, you can place the following lines into a file with a .reg extension, then right-click the file and install it to disable the Passport ad pitches:

[HKEY_CURRENT_USERSoftwareMicrosoftMessengerService]
“PassportBalloon”=hex:0A,00,00,00

This trick isn’t even posted in Microsoft’s online Knowledge Base yet. The Redmond company revealed the technique in its Windows Platform News newsletter in July. That publication contains instructions that allow you to make the change manually using a Registry editor, if you prefer.

I’m sending Yorkovich a gift certificate good for a book, CD, or DVD of his choice for being the first to send me a tip that I printed.

Windows 2000 SP4 breaks Active Directory’s single-level domains
Reader Steve Runyon is very upset about a weird effect of Service Pack 4 that’s caused him many lost hours and dollars:

• “M$oft has ensured that everyone who applies W2K SP4 and uses Active Directory with a single-level domain name will pay $200 for a support call.

  ” ‘Single-level’ domain names are domain names without a dot. For instance, a machine called ‘river’ in a domain called ‘petro,’ for a FQDN of ‘river.petro.’

  “Although these kinds of names are useless on the Internet, in a private network they may find use, especially as we migrate to Active Directory. My company uses such a domain name internally for our hosts.

  “The MS article number is 300684 that describes the Registry fix. Here is the content of the .reg file we use:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters]
“AllowSingleLabelDnsDomain”=dword:00000001

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters]
“UpdateTopLevelDomainZones”=dword:00000001

“We’ve found that – on our network with a single-level domain name – we must perform this fix before applying SP4 or our server will subsequently fail to register with the Active Directory DNS.”

As I wrote last issue, I’m collecting more information about the weird behavior of SP4 for Windows 2000. To send your findings, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

USB coffee cup warmer for dummies

Way back in my March 13 issue, I revealed a laugh-out-loud invention: a coffee cup warmer (available only from a Tokyo site that was written entirely in Japanese) that plugs into the USB port of your laptop. This lets you use it where power outlets are scarce.

That sparked quite a discussion in my April 10 issue. Several readers reported that the mini-appliance worked only on pre-heated cans of coffee that are sold from a special type of vending machine that’s common in Japan. No one knew of any USB coffee heaters for the rest of us.

Finally, reader Marleen Wanders has found a USB coffee mug warmer that works with any flat-bottomed cup. The AS-1420905 (pictured above left) plugs into any USB port and has a convenient on-off switch.

Unfortunately, the reviews I was able to find on this little gadget were only lukewarm.

Blogger Michael Cruft found, after opening the case, that it doesn’t even have a heating element. The gizmo’s inventor apparently thought that the heat byproduct of two voltage regulators would keep coffee warm! If you’re still interested, though, the usually reliable Cyberguys at least have the decency to sell the unit for only $16.95 plus shipping. At Directron.com it’s $24.99.

But if you need to keep a beverage warm, who isn’t near a power strip these days? Unless you commonly sip your coffee while drifting on an ice floe, I’d suggest you simply get an AC-powered warmer plate.

The best one I found – with a real ceramic base and a 3-foot cord – is at the Vermont Country Store for $16.95. If you’d prefer a cheap plastic one (priced from $10 to $13), the slickest unit is at Kitchen Etc., followed by TableTools, Home Marketplace, and RollingPin. The Kitchen Etc. model boasts 18 watts of power, which no USB port will ever be able to match (USB is limited to 2.5 watts).

That’s the end of our “geek survival tools” discussion for today!