Protect your media player from podcasts

Protect your media player from podcasts

Update Windows Media Player to avoid surprises

Late in 2004, computer experts noticed that a popular Windows Media Player video file was actually a silent delivery mechanism infecting millions of PC users with spyware.

On Jan. 3, 2005, security researcher Ben Edelman revealed what was happening to people who played this video file in WMP. After clicking the OK button on a single, legitimate-looking "browser update" dialog box, "My computer quickly became contaminated with the most spyware programs I had ever received in a single sitting," he said.

Edelman counted an amazing total of 31 programs that had silently been installed, without even displaying a license agreement. These included adware from 180solutions, CoolWebSearch, Ezula, ISTbar, and many other adware companies, he said. (By the way, I reported on July 14 that Microsoft’s AntiSpyware beta program, to the dismay of spyware experts, has stopped recommending the removal of programs by 180solutions, Ezula, and some other adware companies.)

How the trick works: Media files that are played using recent versions of Windows Media Player, such as 9.0 and 10.0, can invoke Microsoft’s Digital Rights Management system. This DRM scheme allows multimedia files, among other things, to open a Web page and display information to the user.

Allowing audio and video files to open new windows is not such a good idea in the first place. Even worse, however, is how DRM was implemented by Microsoft.

Left: Playing a video file in Windows Media Player can launch a dialog box that looks official but installs spyware. Enlarge image in context

DRM-protected multimedia files, when played in WMP, can make a dialog box appear, such as the one shown above that Edelman diagnosed. (This image is reproduced with Edelman’s permission.) In this case, the dialog box tells the user to click the Install button to get what was supposedly a Required Media Player Version 10 Browser Update.

Most Windows users, of course, see dialog boxes like this all the time. For example, legitimate audio and video files commonly require the download of a particular compressor-decompressor, or codec. That perfectly ordinary situation displays a very similar codec-update dialog. (I discuss, below, a safe way to update codecs.)

In the case shown above, the message does say Security Warning, but so do many other alert boxes. It’s very natural for Windows users to click OK on boxes such as this one, and huge numbers of people have done so. After all, the dialog box says the download is required! (For details, see Edelman’s original report.)

Microsoft’s response to the outcry over this unacceptable behavior was pathetic. For at least a week, the company initially said the misleading dialog boxes were using a "by-design feature" of WMP, which wouldn’t be changed. The company then reversed course, telling eWeek in January that a patch would be available by mid-February.

Patches that allowed WMP 10 users to switch off the deceptive behavior were in fact released by then. But no patches were made available for WMP 9, which is used by more people, according to an April 14 eWeek article.

Microsoft finally released security advisory 892313 and the related Knowledge Base article 892313 on May 10. These articles described the problem and linked to an update for WMP 9 that had been posted a few days earlier.

Unfortunately, the WMP 9 patch is available only for users of Windows 2000 and 2003, not users of Windows 98 or Me. Worse, neither the advisory nor the KB article tells WMP 9 and 10 users that they must change a setting to turn the protection on after installing the upgrades. Finally, as far as I can determine, neither Windows Update nor the newer Microsoft Update bothers to inform users of the need for these upgrades.

What to do: Users of Windows XP with Service Pack 2 (SP2) who also have Windows Media Player 10 installed are not vulnerable to the problem. For everyone else, I’ve put together the following steps to make you immune.

WMP is “integrated” into Windows and you can’t easily remove it. For this reason, I urge you to upgrade WMP’s components to the latest version available for your OS, even if you never use it. Then apply patches as described in the steps below. WMP 10 will run only on Windows XP. WMP 9 will run on Windows 98 SE, Me, 2000, and 2003 as well as XP.

Users of Windows XP: First, if you don’t have SP2 installed, I recommend that you install it now, using the XP SP2 page or the new Microsoft Update (requires Internet Explorer). While you’re at it, use Microsoft Update to get the latest security patches for XP. Then, if you don’t have WMP 10, get it from Microsoft’s download center. Once WMP 10 is installed, read security advisory 892313 and install the update for WMP 10 using the link in KB article 892313. Finally, read section 9.4 of Microsoft’s WMP FAQ. Follow the instructions in bullet point 4 to turn off auto-acquisition. To do this in WMP, right-click the title bar, then click Tools, Options, Privacy, then turn off Acquire licenses automatically for protected content.

Users of Windows 2000 or 2003: First, use the new Microsoft Update (requires IE) to get the latest security patches for your OS. Then, upgrade to the latest version of WMP 9 using Microsoft’s download center. Once the updated WMP 9 is installed, read security advisory 892313 and install the update for WMP 9 using the link in KB article 892313. Finally, read section 9.4 of Microsoft’s WMP FAQ. Follow the instructions in bullet point 4 to turn off auto-acquisition. To do this in WMP, right-click the title bar, then click Tools, Options, Privacy, then turn off Acquire licenses automatically for protected content.

Users of Windows 98 SE and Me: WMP 9 will run on these OS versions, but 98 SE and Me are so old that Microsoft no longer supports them and I don’t recommend them. There’s no patch for WMP 9 on these operating systems. If you have a PC that’s running 98 SE or Me, check whether it meets the hardware requirements for XP using Microsoft’s upgrade center. If so, I urge you to upgrade to XP SP2 and WMP 10, even if you have to pay money for a retail copy of XP.

All users: Upgrading to the latest Windows security patches, which I recommend above as step one, eliminates other security holes that affect WMP. For example, being current with all patches stops WMP 9 from being infected by poisoned PNG images, as described in MS05-009. Also, Windows Update may already have installed patch 828026, which dates back to September 2003. Administrators should use the three Registry values described in the related KB article 828026 to stop WMP 9 from responding to URL script commands.

Note that even taking the steps above may allow some media files to display dialog boxes, which you must take care to answer correctly. As far as I’m concerned, no video is important enought to answer Yes to any dialog box a strange file opens, if WMP is the media player. (If you need an updated codec, download it separately from a legitimate source, such as the ones recommended by Microsoft in “How do I find a codec?“)

If you’re running XP SP1 or higher or 2000 SP3 or higher, you can restrict access to WMP, although you can’t easily remove it. You do this using Windows’ Set Program and Access Defaults feature. Follow the instructions in section 2.4 of the WMP FAQ.

By the way, don’t bother using KB 190990, entitled “How to determine the version of Windows Media Player,” to determine your version of WMP. Despite being revised as recently as Mar. 24, 2005, the article shows the wrong current version numbers for WMP 9 and 10.

After you’ve upgraded and patched WMP, you may also wish to install one of the third-party media players mentioned later in this article. Let the new player associate multimedia file extensions with itself so WMP never runs. That’s the best you can do to keep audio and video files from automatically launching WMP. When security holes are discovered in the future, my guess is that other vendors will fix their problems quicker than Microsoft will.

iTunes isn’t safe just because it’s Apple

Apple software doesn’t suffer from security flaws as often as Microsoft’s does, but problems aren’t unheard of. You need to stay abreast of Apple updates, especially for its popular iTunes media program, just as you do with Windows apps.

A flaw in iTunes was announced by Apple as recently as May 9, 2005. The problem allows a hacked MPEG4 file (.mp4) to silently install a Trojan horse on a computer. This wouldn’t affect an iPod or other specialized MP3 player. Nor would it likely affect Apple’s OS X operating system, which protects users from installing software unknowingly. But it would be a big problem in Windows, which by default runs with administrator privileges all the time, allowing viruses to quietly install themselves.

Fortunately, Apple released an upgrade, iTunes version 4.8, on May 9 to correct the problem on Windows 2000 and XP and OS X 10.2.8 or higher. Even better, Apple released iTunes version 4.9 on June 28, which is the first version that supports podcasting. You should upgrade iTunes to 4.9 immediately.

What to do: First, read the description of the MPEG4 problem provided by SANS and Apple. Then, upgrade to iTunes 4.9 using Apple’s download page.

QuickTime can play more than videos

QuickTime is another Apple program, this one primarily used to display short videos. The application runs on both Windows and Mac and often comes preinstalled on PCs. It’s also widely downloaded by people who want to view movie trailers provided by Hollywood studios and other content.

QuickTime was found in September 2004 to be hackable if it was used to display, of all things, a still-image bitmap file (.bmp). If you happened to load a poisoned bitmap, it could silently take over your PC while the image was being displayed as though nothing was wrong.

Apple released QuickTime 6.5.2 on Oct. 27, 2004, to correct the problem. Since that date, it’s released QuickTime 7.0. But that version was found to allow media files to send data from your computer back to a hacker’s Web server. The company released QuickTime 7.0.1 on May 31, 2005, to patch this.

What to do: Read Apple’s descriptions of the problems corrected by QuickTime 6.5.2 and 7.0.1. Then upgrade to QuickTime 7.0.1 using Apple’s download page.

Music and movies can hack RealPlayer

RealPlayer is one of the most popular media players on the market, with hundreds of millions of downloads of its free player and more than 2 million paying subscribers, according to a company statement.

But RealPlayer and other products made by RealNetworks have had a troubled history with security holes and privacy issues. The company lists on its security page more than a dozen patches that have been required for its media products, including RealPlayer and RealOne Player, in the past 2-1/2 years.

In addition, RealNetworks’ software raises security issues for both companies and individuals. RealPlayer and RealOne Player are configured by default with Internet-access features that allow RealNetworks and its partners, such as NASCAR and CNN, to install additional software, according to WatchGuard Technologies.

Most recently, RealNetworks released patches for its software — including RealPlayer, realOne Player, RealPlayer Enterprise, and Rhapsody — on June 23, 2005. These programs, if unpatched, can let hackers access a PC if the user plays a hacked MP3 audio file or AVI video file, or even visits a Web site that plays multimedia content.

What to do: Read the descriptions of the latest security hole provided by eEye Digital Security and RealNetworks. Then review any patches that may apply to you on RealNetworks’ security page.

Finally, upgrade any RealNetworks software you may have to the latest version that’s safe. For example, RealNetworks’ June 23 bulletin says these versions are not at risk: RealPlayer 10.5 (build 6.0.12.1212) and Rhapsody 3 (build 0.1141).

Winamp falls victim to sneaky MP3s

Winamp is such a widely used media player that it’s listed as the 32nd most popular file at CNET’s Download.com. Unfortunately, like the other player apps, Winamp, too, has had its share of programming blunders that exposed users to danger.

In the latest case, merely playing an MP3 file in Winamp can cause hacker code to silently run. This can potentially plant a Trojan horse on a computer, according to a July 14 analysis by a security research group in Croatia named LSS (Laboratorij za Sustave i Signale).

Winamp released a new version on July 19 that fixes the flaw.

What to do: Read the analysis by LSS, then upgrade to Winamp 5.094 using Winamp’s download page.

C’mon, get it together, developers

Of all of the Windows applications we use, media players that simply play audio or video clips should be risk-free. It isn’t asking too much for developers of these programs to subject them to thorough security audits and neutralize any possible threats.

Enjoying podcasts should be a simple matter that doesn’t expose users to serious risks. We’re not there yet, so — until that day comes — you need to give your media player periodic patches in order to use podcasts safely.

You might think that a podcaster would never risk losing audience share by including a virus in a regularly scheduled show. But a podcaster’s PC might inadvertently get infected, adding a hidden virus to a file without anyone noticing until it had gone out to thousands of people.

In addition, viruses these days don’t seek to erase a PC’s hard drive. Instead, they aim to quietly take over the PC’s bandwidth, and big dollars are at stake. Podcasters have already received financial offers to distribute adware within podcatching software, according to a public warning by Nick Bradbury, the developer of FeedDemon. We all have to keep our guard up against this threat.

To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Have a problem? I'll print something about it

By Brian Livingston

My inbox has a healthy flood of e-mail from readers who are suggesting improvements on something I previously printed or quarreling with something they say I shouldn’t have printed.

This week, I can’t include nearly all of the excellent remarks I’ve received. But we’ll start with a tip on multi-VPN routers and work our way toward other, more controversial subjects.

Support 16 VPNs with a single router

I published in the July 28, 2005, newsletter reader Rich Kole’s recommendation of the D-Link DI-604 router, which he said was the only router he’d found that supports multiple VPN sessions. David Streit sends in the following news:

• “I use a DrayTek Vigor2200eplus VPN SPI firewall — DSL-cable router — 4-port switch. The Vigor supports 16 simultaneous tunnels. It doesn’t include Wi-Fi wireless, but of course, you can plug an access point into any one of the four switch ports. The Vigor costs about $90. I’ve installed several at small business clients with excellent results.

  “F.Y.I., one thing I like about the Vigor is that the VPN supports name and password authentication. That feature works well with the VPN client built into Windows XP, so no software is required to establish a tunnel.”

If your company needs to support lots of VPNs, it’s certainly worth checking into the DrayTek unit reader Kole describes..

Should Microsoft coding problems be publicized?

I wrote in the Aug. 4, 2005, news update that Microsoft’s new Genuine Windows Advantage software suffered from three easy ways to turn it off, which had been discovered within hours. That generated the following remarks from Todd Koenig:

• “I have to disagree with two statements in your article entitled ‘Windows validation easily circumvented.’ My objections revolve around the motivation behind your printing of the article.

  “First, you claim that you are not trying to promote cheating, yet you list multiple, specific methods to accomplish the cheat to thousands of your subscribers. Had you stated that ‘multiple websites are posting methods for subverting the validation,’ I don’t think you would have gotten too many people complaining that you should ‘prove it’ with some specific sources.

  “Second, you claim that your reason for posting this article is that the easy-to-circumvent validation makes you wonder what other pieces of Microsoft software are not being tested thoroughly. But let’s be honest here. We already know that the contributors to this very useful newsletter have a thorough understanding of Microsoft’s shortcomings. Furthermore, given that the validation functionality is for Microsoft’s benefit and not for my benefit, I applaud Microsoft for placing it as a lower priority than testing their security patches (that’s called looking out for the customer).

  “Finally, given the fact that MILLIONS of non-computer-nerd customers will never go to the trouble to circumvent the validation as you outlined, Microsoft can still count on some real benefit from the changes, even if they are easy to get around.”

Rest assured, I considered points such as these before writing what I did about the validation weaknesses.

I wrote my update piece as I did because the validation flaws were certain to be corrected within a few days by Microsoft. For this reason, the corporation did not stand to lose any significant amount of revenue before the bugs were corrected. Unlike a remote security hole — which I would never reveal unless Microsoft had had ample opportunity to release a patch — it endangers no one to reveal that the company’s software development practices are shoddy.

When Microsoft releases a significant change to Windows, I believe the change must be thoroughly tested, whether the change is a security patch or something else. So many companies and individuals are dependent upon Windows that a patch with negative side-effect can seriously impact their livelihood.

Microsoft worked on its Genuine Validation program for a period of two years, making it even more embarrassing that the routine was so poorly thought out. I only wish Microsoft tested its Windows software for buffer overruns and other security flaws using half the development resources that it budgeted for Genuine Validation.

I included the information I did about the bugs in the validation routine because, among other things, it might shine a light on other development problems within the corporation. The revelation of the weaknesses did not endanger any genuine Microsoft customers and will hopefully have some positive long-term effect on how well the Redmond company tests all the software it releases in the future.

Word of Cisco weaknesses travels fast

Also in my Aug. 4 news update, I reported on the controversy over Michael Lynn, a security researcher who resigned from his job in order to keep an appointment to discuss patched Cisco router weaknesses at a Las Vegas computer conference. Austin Burke writes the following about my coverage:

• “In your latest news update, you have an article entitled ‘Time to update your Cisco routers.’ In it, regarding Michael Lynn’s PowerPoint presentation, you wrote, ‘Unlike copies of this slide show that are now available on the Web, such as a PDF file at Security.nnov.ru, Lynn’s presentation responsibly blacked out some crucial code and omitted ISS’s trademarked logo from the slides.’ That WAS responsible of him, of course, and good of you to point it out. Why, then, would you provide a link to one of the irresponsible sites (Security.nnov.ru)?

  “When I first saw the link, I thought it must have been a mixup — perhaps a mislabeled link to a responsible copy. But it’s not — to my surprise, it’s actually a link to a PDF that contains code that can compromise Cisco equipment. Why would you do that? What were you thinking? One of the tenets of your newsletters is security. Why would you propogate such dangerous instructions?”

The Security.nnov site’s posting of the ISS slide show was widely reported by numerous sources after Michael Lynn’s presentation was made at the Las Vegas conference. Since this information is widely available, it is a disservice to white hats for them not to know about the information so they can use it to test which Cisco routers are at risk.

Cisco has patched the flaws and updates are freely available from that site. “Security by obscurity,” in which we assume that exploits are unknown to the hacker community, is not a valid security strategy. Full disclosure, by contrast, improves the knowledge that white hats have and hastens the day when vendors release complete fixes for their products.

What is harmful, and what I will never do, is to release operable executable code that can be used by “script kiddies” to exploit known security flaws that are currently unpatched. Scores of Web sites release precisely this kind of attack code. The copying of this code by thousands of Web sites operated by programming amateurs is the reason why IE users are silently infected with spyware by merely using IE to visit such sites.

The information in the ISS slide show, as Michael Lynn pointed out in Las Vegas and in his interview with Wired News (which my article links to), in no way permits such an attack. Lynn said developing such an exploit would require deep knowledge of Cisco’s operating system and probably local access to a Cisco router. He also said Cisco’s plan to introduce “virtual processes” into its future software would, in fact, make remote exploits easier, as I reported.

I wanted to make the point that Michael Lynn did nothing in his Las Vegas presentation that could legitimately be objected to by either Cisco or ISS. If products have weaknesses that owners should guard against, that fact should be made as widely known as possible so white hats can install the available patches to protect themselves.

Black hats are constantly finding these weaknesses themselves, and they don’t tell us about them, so the good guys need to inform as many people as possible themselves. I believe in responsible disclosure of newfound security holes to vendors with reasonable notification periods. The Cisco flaws, by contrast, had been publicized and patched by Cisco some time ago, so there was no need for the legalistic reaction Cisco and ISS exhibited.

Readers Kole, Koenig, and Burke will receive gift certificates for a book, CD, or DVD of their choice for sending tips we printed.

Windows vulnerabilities from several sources

By Chris Mosby

Even though I frequently focus on browser vulnerabilities in this column, you can still find vulnerabilities just about anywhere in Windows. They range from installed software installed to hardware drivers to the operating system itself. No matter how hard anyone tries, no computer system can be 100% safe and secure. Anyone who tells you different is just not telling you the truth.

A perfect example of this can be found in Microsoft’s next operating system, now known as Windows Vista. Microsoft only released Vista into beta testing by a limited number of developers a little over a week ago. Not wasting any time, a hacker released five proofs-of-concept that take advantage of security vulnerabilities in Monad, a new command shell that may appear in future versions of Windows three or more years from now.

The new command shell won’t be installed with Vista by default when it ships, and it isn’t in the Vista Beta 1. None the less, the early exploitation resulted in bad press for Microsoft. The Microsoft Security Response Center has already written up an official statement in their blog.

Microsoft ActiveSync has security problems

Microsoft ActiveSync is one of those programs that I don’t usually think of when I think of a security vulnerability. ActiveSync merely synchronizes a PC and a Pocket PC. However that didn’t keep Seth Fogie of Ariscanner Mobile Security from disclosing a problem in both ActiveSync 3.7.1 and the latest version, 3.8.

This problem could allow a hacker, at the very least, to execute a denial-of-service attack on your mobile device. At the worst, you could be fooled into giving up the password you set to secure your mobile device.

What to do: If you have a firewall, you should be safe from this attack unless someone has opened port 5679. The advisory recommends that this port be blocked from all LAN and Internet access until Microsoft provides an ActiveSync patch.

USB drivers could attack computers

SecurityFocus recently released an admittedly vague advisory relating to certain USB device drivers that could produce a unspecified buffer overflow on Microsoft Windows computers.

The firm didn’t provide much technical detail on this issue, but did say that this problem could be used to run code on an computer — or cause it to crash — without the need for a user account.

A hacker would need to walk up to a computer and insert a specially designed USB device into an open USB port. If that’s possible, they could potentially install keylogger software or anything else (if they understood all the technical details that SecurityFocus didn’t describe).

I wouldn’t shut off all of the USB support on your computers just yet though. A hacker would have to know a lot about the computer he was attacking before something like this would work.

What to do: Good physical security is the best remedy for this problem. If hackers can get that close to your computer, they could just as easily unplug your computer and walk off with it.

This problem is a bit different for people who work in big office buildings and work in cubicles. You might not be able to do anything about the physical security of your computer. If co-workers can touch your PC when you’re not around, you may need to get a locked cabinet to defend the machine against such threats.

Keep a lookout for more information on this problem. When I see anything new, I’ll be sure to let you know.

IE JPEG problems fixed by patch

In my last column, I reported on four vulnerabilities in IE that were related to the browser’s JPEG image rendering engine. There are now several harmless examples of these exploits available for testing at SecuriTeam. You can also find the problem reported at Donna’s SecurityFlash and SecurityTracker.com.

These vulnerabilities were patched by Microsoft in its regular Patch Tuesday release on Aug. 9. The fix is in security bulletin MS05-038.

What to do: My advice from last time still stands — switch to an alternate browser, such as Firefox. Since IE is integrated into Windows and can’t easily be removed, however, you still need to apply MS05-038. See Susan Bradley’s cautions about this in her column, below.

If using another browser is not an option, you should make sure that IE is secured with Brian’s hardened configuration, and that you are using at least the recommended Security Baseline (above).

Severe hole in Windows 2000, 2003, XP SP1

The Web is ablaze with rumors about a severe flaw in Windows 2000 that’s been discovered by eEye Digital Security and reported to Microsoft.

If you take a moment to read the eEye advisory that’s linked to in the previous paragraph, you’ll see that eEye states the vulnerable software isn’t limited to Windows 2000, as many media outlets reported, but also includes Internet Explorer, Windows XP (gold), Windows XP SP1, and Windows 2003. (Prominent by its absence is XP SP2, which doesn’t appear to be affected.)

Some pundits say eEye researchers are still doing tests on other Microsoft operating systems. These reports suggest that yet other versions of Microsoft software will be affected by this gaping hole as well.

The flaw is reported to be severe enough that it could allow hackers to remotely enter a PC through its IP address, without any action being taken by the computer user. This flaw has "next world-spreading Internet worm" written all over it.

eEye, to its credit, won’t give out any more technical details, due to its policy of responsible disclosure to software vendors. However, the chief hacking officer of eEye, Marc Maiffret, was quoted by News.com as saying that a workaround is unlikely. "You can’t turn this [vulnerable] component off," Maiffret said. "It’s always on. You can’t disable it. You can’t uninstall."

Well, this is a nasty bit of news now, isn’t it? So far, there aren’t any known exploits for this. But who knows how long the details of this flaw will be kept a secret. If we hear any solid information on how to protect against this threat, we’ll be sure to pass it along to you.

What to do: The flaw was originally reported to be an IP attack, but eEye has revised its bulletin to clarify that it is not. Speculation by other researchers since that time suggests that the hole might be related to Microsoft’s Remote Procedure Calls. Without additional details, we can’t be sure at this point.

Exploit code targets Veritas Backup Exec

The French Security Incident Response Team (FrSIRT) has released a zero-day exploit that allows an attacker to compromise a Windows Server through a hole in Veritas Backup Exec 9.x and 10.0. We have no other details at this time. Thanks to Susan Bradley for information about this.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Microsoft forgets to sign a few patches

By Susan Bradley

The calendar says we’re in the dog days of August, and Patch Tuesday this week was crawling along pretty slow, too.

The expected patches were released, all right. But reports were soon received from sources on the PatchManagement.org list that the direct-download patches for Internet Explorer had faulty digital signatures. As reported by the MSRC blog, however, the patches for Windows Update, Microsoft Update, SUS, and WSUS were unaffected by this. I cover the details of the problems below.

Microsoft update is acting up, too

As you know, I’ve told all the Patch Watch readers to switch from Windows Update to the new Microsoft Update (MU), as I did last issue. Now the new update routine appears to suffer from summer doldrums and lingering issues, just as NASA found with the foam on the Space Shuttle.

This morning when I tested MU, you had to install the Outlook Express patch (900930) that’s found way down in the "noncritical section" before it would offer up any new patches for the month of August.

In theory, MU shouldn’t depend on any patch in a less-critical section before it offers critical patches to you. By the time I finishing testing and re-testing this in several machines, MU started acting as it should. Other than prompting me to download the Windows Genuine Advantage validation before offering up the rest of the patches, which is a new requirement, the update routine worked smoothly.

Let’s hope the same little irritations get worked out as easily for you. Assuming that all the mechanisms of patching are operating as they should, let’s move on to the patches you need to look for and make your priority.

One new IE patch is medium priority

MS05-038 (896727): You might expect me to say that you need to run right out and install this patch for Internet Explorer. But you’d be wrong.

First off, I’d hope that you’re already taking mitigation action to proactively defend yourself from any browser you happen to be using. For example, you should be using Michael Howard’s DropMyRights tool to better protect yourself when browsing the Web. This application, which is free for Windows XP and 2003, allows you to launch IE, Firefox, Outlook, Eudora, Lotus Notes and many applications with lowered (more secure) privileges. This protects you from a great many Web exploits. Ideally, we’d use lowered privileges almost all the time. But you may need administrator privileges throughout the day to accommodate some poorly-programmed app that wouldn’t work otherwise. Michael’s MSDN article has all the details.

Anopther good practice, if you’re using IE and can’t or don’t wish to switch browsers, it to configure IE to surf with the security of the Internet Zone set to High.

When you do install this week’s IE patch, be aware that, as in past cumulative Internet Explorer rollup packages, the standard warnings apply. That means that prior hotfixes may be removed, and will need to be re-installed, if you update with this package. For more information, see security bulletin MS05-038.

Don’t misunderstand, any patch to Internet Explorer should always be near the top of your patching list. But this month, I believe two other patches should get a higher precedence.

Two patches are essential to stop worms

MS05-039 (899588): Whenever I hear the words "Plug and Play," I think of devices, printers, and USB thumb drives. I don’t necessarily necessarily start thinking "shades of Blaster." The two security holes that are the most urgent for you to patch this week could be "in the wild" almost as quickly as you plug and play a new USB device.

On the Patch Management.org listserve, Marc Maiffret warns that the flaw patched by MS05-039 has the potential to be the next big worm. For those still using Windows 2000, pay close attention to this patch. This issue is exploitable remotely and without requiring authentication to your system.

Exploit code has just recently been published on the Web. Microsoft has responded with security advisory 899588.

If you follow Brian’s advice in the Security Baseline, above, and never leave home without a firewall protecting your PC, the vulnerable file-sharing ports that this exploit requires are not exposed.

For those in corporate networks, however, this exploit raises concerns similar to MSBlaster. If an exploit gets behind your corporate firewall, it could mean big trouble. If you’re not running a host-based firewall, put this patch on a fast track for deployment. See security bulletin MS05-039.

MS05-043 (896423): The other hole that’s easily exploitable also affects Windows 2000 machines. You can be affected adversely if W2K is merely running the Print Spooler service.

Given that I don’t consider disabling the print spooler to be a good workaround, and thus not a good mitigation in my book, this is the second patch that should be a high priority. See MS05-043.

Both antiworm patches require W2K SP4

Your firm may be unlucky enough to have software that won’t run on anything past Windows 2000 Service Pack 3. If so, you need to know that the two essential patches I describe above are not supported on anything other than Windows 2000 SP4. As of June 30, 2005, support for Windows 2000 with Service Pack 3 was discontinued.

If you’re stuck with a vendor that won’t support your security patching needs, you may wish to nominate them for my Vendor Hall of Shame. This list highlightes those vendors that say they don’t support patching or have issues with patches.

RDP vulnerability is almost an after thought

MS05-041 (899591): After a scary-sounding posting in the MSRC blog and a separate security advisory, it’s almost anticlimactic to read about a Remote Desktop Protocol (RDP) vulnerability that would merely allow a denial-of-service attack.

The good news is that MS05-041 doesn’t apply to Windows 2000 SP4 machines, since they don’t have Remote Desktop at all. Microsoft says the patch is needed only for Windows 2000 Server SP4, XP SP1 and SP2, and Server 2003. In addition, RDP is not enabled by default on these platforms, except for XP Media Center Edition with a Media Center Extender installed.

There has been active discussions on the Internet regarding this kind of denial-of-service attack. But compared to the two Plug and Play and Print Spooler holes described above, this one doesn’t seem so bad after all. See MS05-041.

Two remaining fixes for telephony and Kerberos

MS05-040 (893756) and MS05-042 (899587): The remaining two patches for this month involve telephony and Kerberos, respectively. The latter of the two patches also prevents a possible man-in-the-middle attack. This will be of interest to companies that want to defend their Smart Card deployments against PKINIT-related vulnerabilities.

After you install the Kerberos patch, you must immediately enable a Registry key manually to get the maximuim PKINIT protection. This important fact is mentioned only in the FAQ section of the security bulletin, not the main body. The Registry change, which is different for XP than it is for 2000/2003, is documented in Knowledge Base article 904766.

To obtain the patches themselves, see MS05-040 and MS05-042.

Three re-releases for Word Viewer, 2003, and OE

MS05-023 (890169): This bulletin has been re-released to reflect an additional product that’s been found to be vulnerable: Microsoft Word 2003 Viewer. This viewer is not Office 2003 software, it’s a special download that allows people who don’t have Word installed to view and print Word documents.

The updated Word 2003 Viewer replaces any previous version, such as Word 97 Viewer. You must uninstall any previous verison, including 2003, to install the new, safe viewer. If you don’t have Word 2003 Viewer installed, and you already installed MS05-023 back in April to patch Word and/or Microsoft Works, you don’t need to reinstall the patch.

The re-release is not detected by Windows Update or MBSA. You’ll need to scan with Microsoft’s Enterprise Update Scan Tool version 2. For details on the re-release, see MS05-023.

MS05-032 (890046): Microsoft updated this bulletin because a revised version of the security update is available for some x64-based systems. This includes Microsoft Windows Server 2003 (with or without SP1) for Itanium-based systems.

Microsoft rates the risk for 2003 systems as "low." The urgency of this re-release is not a biggie in my book. See MS05-032.

MS05-030 (897715): Last but not least, Microsoft also re-released this security bulletin for Outlook Express. The patch is no longer a cumulative update and no longer replaces MS04-018, which now must also be installed if it isn’t already. See MS05-030. (My thanks to Chris Mosby for his help with this tip.)

Windows Genuine Advantage fixed… for now

Soon after Brian wrote about the widespread Windows Genuine Advantage hacks in last week’s news update comes word that WGA is fixed. The validation is now a two-step process and no longer allow the trivial circumventions that were so embarrassing to Redmond.

Want to know more about what Windows Genuine is and what benefits it offers to owners of legal copies of Windows? Be sure to visit Microsoft’s WGA Web site to keep up-to-date on the free software the company is providing to people who do validate their software.

Remember, automatic security updates will not be affected by the Genuine Advantage requirement at all.

While at Microsoft Update, what else to patch?

I’ll be the first to admit that I tend not to accept all patches from Microsoft Update.

I will always select security patches from the top section, possibly select some patches from the middle optional patch section, and never select driver updates from the bottom section.

I’d rather visit the Web site of the driver vendor and obtain it from there. Keep in mind that some OEM vendors can place their patches up in the critical section at the top, but this is not the normal place for driver updates. I personally have found that I have the most consistent luck with drivers from the vendors’ Web sites rather than from Windows Update.

Service pack issues and an APC gotcha

Brian’s news update alerted you to the fact that Update Rollup 1 (UR1) for Windows 2000 SP4 would be re-released. In news that’s disappointingly similar to the UR1 problems, I posted on my blog a listing of top issues that affect Small Business Server 2003 SP1.

As you deal with the above updates, be aware of yet another "gotcha." This one can be very destructive as you pull out your hair trying to guess what’s wrong with your Windows 2003 Server.

Due to a Java run-time certificate that expired on July 27, 2005, if you do not upgrade APC PowerChute Business Edition from 6.x to 7.x, you could end up reconfiguring computer settings for hours. A fellow SBS MVP found this out the hard way and shared his experience so we could all benefit.

August is turning out to be one time you should really make sure you reboot your server before applying any patches. This helps to rule out some knotty issues and ensures a fully functional server for this month’s updates.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

UR1 — not an update, not a service pack

By Mark Burnett

About six weeks ago, Microsoft released Update Rollup 1 (UR1) for Windows 2000 SP4. Many people missed the security advisory, whereas some of those who saw the advisory and did install the rollup experienced problems. Microsoft has announced plans to reissue the update, due to a few glitches affecting some customers, but has not yet given an exact date for that release.

While I normally compliment Microsoft on its progress in patch management, it seems to have dropped the ball a bit on this update. It’s nothing major — it’s just that I’m barely starting to trust Microsoft’s process and it’s still a bit of a sore spot.

UR1 is not a service pack

Microsoft decided to release this update rollup instead of issue anything called Service Pack 5 (SP5) for Windows 2000. Service packs are Microsoft’s chance to bundle a lot of operating system fixes, updates, and minor enhancements into a single package. A service pack serves as a new baseline for that OS.

The problem is that the development, testing, and customer-deployment cycle for service packs is so long that they aren’t the most efficient way to get customers up-to-date with the latest security fixes. And, since the time between service packs is so great, we usually end up with dozens of hotfixes to keep track of since the latest service pack.

To address that problem, Microsoft occasionally releases update rollups. Update rollups are essentially a way to simplify patch management by bundling all OS fixes into a single update. Rollups don’t require a significant amount of testing, because they’re supposed to be just a repackaging of previous fixes.

So does that mean that if you’ve already installed all security updates, you don’t need this rollup? Unfortunately, no. According to MS KB article 891861, you should still install this update. That’s because it “contains important fixes that have not previously been part of individual security updates.”

Furthermore, the article says, this rollup includes “enhancements that may help increase system security, increase stability, reduce support costs, and support the current generation of PC hardware.”

Finally, the article notes that the rollup includes minor compatibility fixes to previous security updates.

In fact, while the update rollup includes fifty security updates, it also includes 447 other nonsecurity fixes, according to KB 900345. But we aren’t done yet. The reissue will include additional hotfixes to address the problems that came up in the original release.

It seems that this rollup isn’t simply a repackaging of current security updates, but it’s probably more accurately described as SP5 Lite. It doesn’t have quite as many fixes as a service pack might. But it still has the potential to disrupt things.

Certain disadvantages come with UR1

Normally, a rollup is quite helpful. It simplifies the installation process and establishes a new baseline from which to work. It also includes many other fixes that you normally cannot get from Microsoft without a support call. Finally, a rollup eliminates some of the confusion of hotfix supercedence, which sometimes trips up automatic patch management products. In general, rollups are a good thing.

But that’s not always the case. Sometimes, rollups can make things more confusing. It isn’t always clear what’s included and what you still need to update. For example, you still need to install Internet Explorer 6 updates and fixes for other components that are not part of the core OS.

It’s also hard to tell what updates you need using Microsoft’s security bulletin search page. You can show all the updates since SP4, but not all updates since SP4 Rollup 1.

How to handle rollup deployment

Deployment is another area where Microsoft goofed this time. The company announced the rollup in a security advisory out-of-cycle from the normal monthly update schedule. Presumably, it wanted to beat the June 30 deadline for free Windows 2000 support. But because it was in the process of upgrading Automatic Updates for Windows 2000 users, the rollup is not yet available as an automatic update — you have to manually install it from Windows Update or Microsoft Update.

Finally, there’s the issue of the pending re-release of UR1 on some unknown future date. Microsoft suggests that you not install the current version of UR1 if you’re affected by any of its known issues, as explained in KB 891861. But it’s hard to tell if you’re affected by these bugs without first installing the rollup. Because of this, many people are waiting for the re-release before installing the update.

Update Rollup 1 isn’t quite as transparent as the typical hotfix, but it isn’t as burdensome as the typical service pack, either. If you use an automatic patch management solution, be sure you know how it deals with this rollup and how it will address the reissue.

Mark Burnett is the author of Hacking the Code, coauthor of Stealing the Network: How to Own the Box, and an independent security consultant.

"Jeb's Jobs" is tech support on steroids

In a totally hilarious computer animation, tech support minion Jeb answers call after call from clueless PC users who won’t let him catch a break. He finallly loses it in a most spectacular way! The 2-minute video clip is the latest production by Nick Forshaw of Weakend Productions. It’s completely work safe, especially if you work in the nutso kind of place depicted in this movie short. Jeb’s Jobs