Routers using WPS are intrinsically unsafe

Routers using WPS are intrinsically unsafe

Simple hacker tools can easily sniff out Wi-Fi passwords from routers that have Wi-Fi Protected Setup enabled — quite possibly yours included.

Here’s how to protect your network — and even hack your own router to see whether it’s vulnerable.

Launched in 2007, Wi-Fi Protected Setup (WPS) is a technology standard that’s intended to make setting up a Wi-Fi network less of a hassle. According to an article on the Wi-Fi Alliance (a consortium of Wi-Fi vendors) site,

“Wi-Fi Protected Setup enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices, and enable security. More than 200 products have been Wi-Fi CERTIFIED for Wi-Fi Protected Setup since the program was launched in January 2007.”

Without a doubt, WPS does make it very easy to add wireless devices to a network. Instead of a laborious, manual setup, WPS offers four simple methods for connecting wireless devices to WPS-enabled routers.

• 1. The PIN (Personal Identification Number) method is supported by Wi-Fi CERTIFIED routers. A short (just six to eight digits) PIN is either printed on a sticker somewhere on the router or is displayed in the router’s configuration software. The PIN serves as an alternate, low-security password separate from the router’s normal passphrase, which can be letters and numbers and up to 63 characters long.

  To connect a laptop, phone, tablet, or other wireless device to a WPS-enabled system, simply enter the short PIN when prompted on the wireless device. (For example, press the network Connect button in Windows 7; your notebook will communicate with the router, and a PIN entry box should appear.) The router’s software then recognizes the new device and allows it to connect.

• 2. The pushbutton method requires pushing a physical button or clicking an on-screen graphical button on both the router and the device (such as a newer, wireless-enabled printer) that’s being connected to the network. Once both buttons are pushed, the devices negotiate and establish the connection.

• 3. Some newer devices use near-field communication (NFC; Wikipedia info) to establish a WPS connection. Instead of pushing a real or virtual button, NFC uses close physical proximity (typically, a few inches) to trigger the initial WPS connection.

• 4. Some devices support the older USB method, in which network configuration details are written to a USB flash drive and physically transferred between or among wireless devices.

Most routers support at least two methods; some support all four. No matter which one is used, setting up a network connection via WPS usually takes only a few seconds.

Easy, yes — but it might be all too easy

Many WPS routers are vulnerable to attack because the six to eight plain-text numerals that make up a WPS PIN aren’t very hard to hack. About a year ago, researcher Stefan Viehböck published a paper (site) illustrating how to find a WPS PIN via a simple, brute-force attack that can be carried out with an ordinary laptop — or even a smartphone. He also offered a proof-of-concept application to do the cracking.

A stolen WPS PIN opens the door to your entire Wi-Fi network. An attacker can access your router’s passphrase and, with that in hand, easily connect to other devices on the network without any further use of the PIN. An attacker can change the router’s configuration and otherwise use or exploit your Wi-Fi network. It’s like handing a thief the keys to your house.

Viehböck reported his findings to Carnegie Mellon’s CERT (site), a recognized global clearinghouse for computer-security information. CERT confirmed the security hole and published Vulnerability Note VU#723755, which stated:

“An attacker within range of the wireless access point may be able to brute-force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service. … We are currently unaware of a practical solution to this problem.”

Using Reaver for totally automated WPS cracking

In the year since Viehböck published his paper, white-hat security hackers (especially the folks at Tactical Network Solutions; site) have adapted and expanded his proof-of-concept program, creating the free, open-source Reaver WPS hacking application (site).

Reaver is a completely legitimate security-testing tool anyone can use to see whether a router is vulnerable to WPS cracking. (It can, of course, also be used for malicious system cracking.)

And that’s where the trouble lies; Reaver requires almost no networking knowledge, special skills, or unusual tools. Any digital delinquent with a Wi-Fi–enabled laptop, a copy of Reaver, and a couple of idle hours, can successfully crack your WPS-enabled network.

The Reaver site states:

“Reaver implements a brute-force attack against Wi-Fi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in [Viehböck’s original paper].

“Reaver has been designed to be a robust and practical attack against WPS, and it has been tested against a wide variety of access points and WPS implementations.

“On average, Reaver will recover the target AP’s [access point’s] plain text WPA/WPA2 passphrase in 4–10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS PIN and recover the passphrase.”

Think about that for a moment. Regardless of how long and complex your Wi-Fi passphrase is, a system cracker using Reaver could effortlessly breach your WPS-enabled router (via the WPS PIN) in just a couple of hours.

I’ll come back to Reaver, to show you how to use it for its intended, legitimate purpose — to see whether your router is vulnerable to WPS cracking. But first, here’s what you can do to lock down your router to reduce the chances that Reaver — or any similar tool — will work.

Protecting against WPS-cracking attacks

CERT’s Vulnerability Note VU#723755 flatly states that the only known way to prevent WPS cracking is to disable WPS.

But router manufacturers don’t want to give up WPS. Users like it, and it keeps tech support calls down. So, instead of dropping WPS altogether, some manufacturers have adopted partial workarounds to reduce a router’s WPS vulnerability.

For example, some routers limit how long WPS is active. In this kind of setup, when you push the WPS button on your router, you have only a couple of minutes to complete an automated WPS connection with a wireless device. If the connection isn’t made in time, the WPS system is supposed to shut down. This time-out function should reduce the router’s WPS vulnerability to a short time.

Some routers also employ a lockout feature that temporarily disables WPS if the router detects several failed WPS connections in quick succession.

Unfortunately, if your router isn’t relatively new or isn’t running the latest firmware from the manufacturer, there’s a good chance it doesn’t support even these limited approaches to WPS hack prevention. And even if it does use these techniques, there’s no obvious way to know whether they’re actually working — and there’s good reason to suspect they might not be. (I’ll come back to this in a moment.)

Which brings us back to CERT’s advice: The only certain way to protect your Wi-Fi network from WPS cracking is to disable WPS entirely. I recommend you do that — right now!

Two quick ways to (possibly) disable WPS

The easiest way to disable WPS is the direct route — in the router’s configuration menu (see Figure 1). Although most current routers support this method, many popular older routers don’t.

Figure 1. This Cisco/Linksys router-configuration page has a seemingly easy way to turn WPS off.

Shockingly, selecting the option to disable WPS on some routers doesn’t actually do anything! The configuration screen might say that WPS is disabled, but it actually isn’t. (I’ll also come back to this in a moment.)

The second method relies on the fact that WPS depends on SSID broadcasting. A Wi-Fi network’s SSID (service set identifier) is the name of the Wi-Fi network; by default, most routers continually broadcast their SSID (which is how wireless devices produce lists of available networks).

Disable SSID broadcasting, and your network will no longer show up as an available network — but it also prevents WPS from working (see Figure 2), which in turn prevents WPS cracking.

Figure 2. Disabling SSID broadcasting also disables WPS.

Turning off SSID broadcasting creates a minor inconvenience when you want to add a device to your Wi-Fi network. Instead of picking the network’s SSID off a list of available networks, you’ll have to set up the connection manually, typing in both the SSID and the passphrase.

For more information on connecting to a Wi-Fi network that’s not broadcasting its SSID, see the TechNet article, “Non-broadcast wireless networks with Microsoft Windows.” Windows 7 users can also consult the TechNet article, “Connecting to wireless networks with Windows 7” — scroll down to the heading, “Set up a connection or network dialog box.”

With SSID broadcasting turned off, or with WPS directly disabled, you’re probably safe from WPS hacking.

Why only “probably?” Read on.

Disabling WPS might not work as it should

As alluded to above, some routers don’t properly disable WPS, even if the router’s configuration menu says otherwise. This is especially true of Cisco/Linksys routers made a few years ago, including the extremely common Linksys WRT54G2 router. Turning off WPS via its menus didn’t do what it was supposed to — WPS remained active.

(Note: The most recent generation Cisco/Linksys routers apparently do correctly disable WPS when instructed to do so, and Cisco/Linksys has been issuing firmware updates for its older routers. See the Cisco Knowledge Base article 25154, “WPS vulnerability status update for Linksys devices,” and Cisco document 690, “Wi-Fi Protected Setup PIN brute force vulnerability.”)

The Linksys WRT54G2 router is noteworthy only because of its popularity. But WPS vulnerability isn’t unique to Cisco/Linksys products. Many router brands and models are vulnerable, and many router vendors have been issuing firmware updates since the WPS vulnerability was discovered.

If you haven’t done so recently, visit your router manufacturer’s support site to make sure you’re using the absolutely latest router firmware; it will likely include the lightweight timeout/lockout fixes mentioned previously plus fixes that should allow properly disabling WPS via the manual configuration interface.

Don’t trust what your router says. Verify!

As should be clear by now, don’t automatically accept your router’s WPS configuration setting. You might think it’s disabled, but it’s actually still active.

How can you be sure that you’ve really disabled WPS? How can you tell if your router really is WPS hack-safe?

The only way to be 100 percent sure is to test-hack your router yourself, using Reaver for its intended purpose as a white-hat, network-testing tool. If Reaver fails to crack your router’s WPS system, you can rest easy. But if Reaver succeeds even after you’ve updated your router with the latest firmware, you’ll know it’s time to scrap that router and get one that lets you truly control WPS.

Reaver’s site contains the free, open-source software and an associated wiki containing abundant information on setting up and using the hacking tool.

However, Reaver is Linux-based software and, as such, might be unfamiliar to Windows users. So in the next issue of Windows Secrets, I’ll present a complete, illustrated, step-by-step article on how to test-hack your router, using Reaver.

Stay tuned!

Bad news just in time for the holidays

If you use PayPal, check out the Security & Scams forum for Lounge member Banyarola’s new posting about a pretty persuasive PayPal phishing scam.

You’re likely to find plenty else to worry about in that forum. But given the millions of dollars holiday shoppers are spending online right about now, we suggest starting with the latest threat to your PayPal account.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Help with upgrading from Office 2000 to Office 2013
Word Processing	Modify hyperlinks in multiple Microsoft Word files
Spreadsheets	Parsing trendline equation
Databases	Doubt about query
Presentation Apps	Unable to open *.pps files in Outlook
Visual Basic for Apps	Where to put quotes in Shell command?
Microsoft Outlook	Reading pane word-wrap problem
Non-Outlook E-mail	Lotus Notes (NSF) to Outlook (PST)
Other MS Apps	SkyDrive update adds “selective sync” and “share from Explorer”
Windows
General Windows	Want to dual-boot W7 Pro x64 and XP on new prospective build
Windows 8	Windows 8 — the new Marmite
Windows 7	“Problem ejecting USB mass storage device” (or so says Win7)
	Files lost — then found!
	Cleaning OS from old C: drive that now serves only data
Windows Vista	Odd shutdown hang-up
Windows XP	New Win 95 through XP computers?
Windows Servers	Remote Desktop Protocol port forwarding
Internet/Connectivity
Internet Explorer	IE 10 not remembering passwords
Third-Party Browsers	Download folder won’t find containing folder
Networking	“Network path not found” error
Social Media	The always up-to-date Facebook privacy guide
Other Technologies
Security & Scams	Fake PayPal site
Maintenance
Reminding you to make backup images
Hardware	Suffering from spontaneous reboots

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

Holiday sounds and lights in Sioux Falls

By Kathleen Atkins On the chance you’re not in Sioux Falls, South Dakota, for the holidays, you’ll surely want to check out this video of a display playing daily for the locals at the Western Mall. Originally a light show created by the owners of a private residence in Crooks, S.D., the show now appears in front of a 24-foot-tall, 3-D replica castle in the middle of the mall. Best of all, it raises lots of money for the Make-A-Wish foundation. For more info, check out Christmas at the Western Mall (site). Enjoy! Play the video

Making your software environment fully portable

It’s possible to run all your software — operating system, applications,
utilities, everything — from a single flash drive or DVD.

But a completely self-contained software environment also comes with some major drawbacks that you need to be aware of.

Seeking more input on software portability

Reader Peter Brown is mulling over truly portable software.

• “I would like to see Fred Langa devote some space to his views on portable programs.

  “I run many portable programs on my computer because I like the fact that they clutter up my registry less — at least, I hope that is how they operate.

  “I haven’t seen any downside to using these programs. Maybe they run a bit slower, but if so, it seems marginal.

  “So why can’t all software be portable?”

Just to be completely clear: by portable, I assume you mean standalone, completely self-contained programs that can run directly without a formal installation process — and from any medium, including flash drives or DVDs.

In theory, almost any program could be made portable. But you might not like the results.

The main problem is integration. A standalone app runs in a kind of functional isolation from the rest of your system. Without formal installation, other programs on your PC won’t even know the standalone app exists, so they can’t take advantage of its features and abilities.

This might not be an issue with small, highly focused applications that do just one or two very specific, self-contained tasks. But it’s a real problem with apps that provide more general services.

For example, a self-contained browser wouldn’t be able to respond to URLs clicked on or generated in any other app. A self-contained word processor wouldn’t be able to respond when you click on a document file in Windows Explorer — or anywhere else except inside the word processor itself. A self-contained e-mail program would mean that you’d lose the ability to “click to e-mail” anywhere except from within the actual e-mail client. And so on.

If all apps were built this way, it’d be like returning to the earliest days of DOS, when each program ran by itself, unconnected to other programs.

I wouldn’t want to return to those days, and I’m sure most Windows users wouldn’t, either.

Moreover, if you’re talking about literal portability — putting a program on an external flash drive and carrying it from PC to PC — there are additional issues.

Consider size. Tiny apps are one thing, but full-featured software takes up considerable space. MS Office 2010, for example, requires 3GB. Photoshop needs 1GB; Quicken, 1 GB; Norton 360, 300MB. Firefox and iTunes each need 200MB. Want to play World of Warcraft? You’ll need 25GB of disk space! And so it goes.

In other words, you’ll need a really large USB flash drive to hold a complete library of fully featured software. And while large flash drives are available, they’re a lot more expensive, byte for byte, than conventional drives.

Then there’s speed. External flash drives communicate via USB, which is much slower than conventional hard-drive interfaces. For example, a SATA 3 data bus for a conventional drive offers a throughput of about 600 megabits per second. (See a Wikipedia article on computer data bus speed.) But USB 1 crawls along at just 1.5 Mbps and USB 2 at 60 Mbps.

USB3 might eventually approach standard hard-drive bus speeds, but according to EverythingUSB.com (site), the current real-world fastest USB 3 device reaches only 124 Mbps.

You might not notice the slowness of USB drives when you’re loading a tiny, self-contained app. But you’d notice it for sure when loading a large program (or many programs) or when you’re writing lots of data.

Maybe you’d prefer to skip flash drives entirely and put your portable software collection on a roomy, rewritable DVD? Unfortunately, optical discs are even slower than USB flash drives! DVDs max out at about 11 Mbps and Blu-rays at about 54 Mbps (Wikipedia article).

There are security issues. For example, what happens if that tiny, keychain flash drive holding your entire software universe is lost, damaged, or stolen? What happens if you crack or scratch the DVD that holds all your software?

There’s more, but you get the idea. Small, self-contained, portable apps are useful and neat, but I wouldn’t want my entire software library done that way. I prefer the speed, integration, and physical security of software conventionally installed on an internal hard drive.

All that said, if you don’t mind the drawbacks, there’s nothing stopping you from building your own totally portable computing environment — including the operating system!

For example, you can roll your own bootable Windows or Linux installation. Here are some online resources:

• Bart’s Preinstalled Environment (BartPE) — creates a bootable Windows on CD/DVD (site)
• Reboot.pro tutorial, “Boot and run Windows 7 from USB hard disk by Marietto2009”
• Flash-Puppy — a free, complete, Linux environment (including apps) on any bootable USB storage medium
• LinuxLive USB Creator — lets you run and explore Linux from within Windows and also create a bootable Linux on USB.

Or see Lincoln Spector’s July 8, 2010, story for tips on creating bootable flash drives.

So if you want a fully portable environment, it’s there for you!

More on malware protection for virtual PCs

Keith Irvin wonders whether his host PC’s anti-malware tools also protect his virtual machines (VMs).

• “Regarding the Nov. 21 item, ‘Looking for an antivirus for a virtual machine,’ I would be interested in your response to my perspective.

  “I’m thinking that a VM guest (whether it’s running or paused/asleep/shut down) is just a set of files. It seems to me that the antivirus solution on the host would scan all the files of the guest.

  “Sure, you might want an antivirus solution running on the guest while the guest is running (for real-time protection); but otherwise, whenever you scan from the host, it’s also scanning the files that make up the VM guest (e.g., *.vmdk, *.vmem, *.vmss, *.vmx, etc.).

  “Your thoughts?”

The problem isn’t so much with the virtual machine software itself (*.vmem, *.vmss, *.vmx, etc.). That software is unlikely to be a malware target. Rather, the problem is with the files that end up on the VM’s virtual hard drive.

As you say, a virtual hard drive is really just a very large file that resides on your real, physical hard drive. But the files are often 10–20GB in size, and they’re in a special format. What’s more, different virtual machines use different formats for their virtual hard drives. You mention .vmdk, but other common virtual drive formats include .vdi, .vhd, .hdd, .qed, and .qcow.

Not all malware tools scan all file types, especially in “Quick Scan” modes; not all malware tools can handle the gigantic file sizes typical of virtual hard drives. And not all malware tools can interpret the special formats of a virtual hard drive file to look inside the file for malware that might lurk there.

In short: If you’re depending on your host PC’s anti-malware tool to protect your virtual machines, you’re taking a big chance.

Instead, I think it’s much safer to equip a VM with a free AV tool that provides both real-time protection and periodic scanning.

Internet Explorer 8 keeps crashing

Carl has had it with IE 8.

• “Internet Explorer keeps crashing, and every time I want to search for something on websites, I have to download a number of ‘fixes,’ none of which works. I keep getting the error: ‘Internet Explorer has stopped working. A problem caused the program to stop working correctly. Windows will close and notify you if a solution is available.’

  “This has been going on ever since I upgraded to IE 8 — and I didn’t even upgrade by choice! How can I fix this?”

Carl, I suspect you have either malware afoot or some add-on or third-party toolbar messing with your IE 8 setup. Try this:

• First, to verify that your system is secure and uninfected, scan your system for malware with a free standalone security scanner such as ESET’s Online Scanner (site), Microsoft’s Safety Scanner (site), or Trend Micro’s House Call (site).
• Next, deactivate all add-ons, plug-ins, and third-party tools that have barnacled themselves to your browser. It’s easy. Just follow the steps in my Jan. 6, 2011, article, “Return IE to its just-installed state with ease.”
• Consider periodically running a good cleanup tool, such as either Piriform’s CCleaner (free and paid; site) or Macecraft’s free PowerTools Lite (site). Those and similar tools help keep your browser’s temporary-file areas under control.
• Finally, think about installing and running a tool such as Secunia PSI (site) to make sure all your most important software is up to date and free of known security issues. (See the July 26 Top Story, “Software that updates your other software.”)

With your system clean and fully up to date, and with IE 8 free of add-ons, plug-ins, and extra toolbars, I bet things will work as they should.

Another Android-Outlook synching option

In response to the Nov. 15 article, “Synching Outlook to an Android device,” Bill Brody writes:

• “Here’s a Google-free solution to the Galaxy synching problem.

  “I acquired a Galaxy S III about a week ago. I tried just about every sync software package available before finding Android-Sync (site).

  “It accurately handles two-way synching with my Outlook 2007 program — and without intermediaries.

  “The program can be set for manual or automatic synching (connecting whenever an Android hand-held device is connected to a desktop PC). It’s extremely fast in automatic mode — far speedier than the BlackBerry desktop software I’d been using.

  “And it’s competitively priced with other proprietary packages: U.S. $29.95 for a personal license, $49.95 for a company license. A trial download is also available.”

Thanks, Bill! If the free and low-cost options discussed in that previous article don’t work, this could be well worth a look.

Goodbye, Messenger; hello, alternatives

Which instant-messaging client will take the place of the world’s most popular IM client?

Skype has the inside track, but there are a number of useful alternatives, many of which connect you to multiple messaging platforms.

Why Microsoft gave Live Messenger the boot

Microsoft’s May 10, 2011, announcement that it was acquiring Skype generated widespread speculation over what would happen with the extremely popular voice-over-Internet-protocol (VoIP) service. It appeared that Microsoft was buying Skype simply to add real-time communications to its products (Xbox and Windows Phone were mentioned in the press release) and investments — including Facebook. The social-networking site did indeed receive Skype integration, shortly after Google released Google+ Hangouts, a free service that offers videoconferencing for up to 10 people at a time. There was also speculation that Skype would end up as a component of Windows 8. (The Windows 8 version of Skype is currently a separate download from the Microsoft Store.)

It’s now clear that there was more to the Skype accession than simply lending extra features to Facebook. The world’s most popular VoIP application, Skype is now available on virtually every mobile and desktop platform. It will even work on some traditional phone handsets — or turn your Sony PlayStation Vita or Apple iPod touch into a Wi-Fi-connected mobile phone.

Known primarily for its voice- and video-calling features, Skype also includes an IM client that’s rapidly growing in popularity. (It was originally intended to coordinate calls and exchange links during voice/video conferences.) That capability put it in direct competition with Windows Live Messenger. With its broad support for platforms outside the Windows ecosphere, Skype was the clear winner.

As most Skype users have now discovered, whether they like it or not, Microsoft is merging the two services under the Skype banner. As detailed in a recent Skype The Big Blog post, Messenger will disappear in Q1 2013 everywhere except in China. As a screenshot in the posting shows, Skype users who also have a Microsoft account are prompted to merge their accounts under their MS account sign-in name. As part of the merge process, Messenger contacts are automatically added to Skype. (If you later sign in using your original Skype name and password, you might get nag messages suggesting you use your MS account sign-in name.)

Pick an alternative to Skype/Messenger?

Skype is an excellent communications platform. Its all-inclusive package of instant messaging, cheap long-distance calls, and video chats on almost any platform have made it a must-have service for both personal and business users. For many Messenger users, moving to Skype is the obvious choice.

The Skype client does, however, have drawbacks — especially for heavy-duty IM users. For example, it supports only its own IM protocol. You can’t use it to IM contacts who are on Google Talk, AOL Instant Messenger, or ICQ. Its file-transfer capabilities are also relatively weak, compared to clients such as Trillian and Pidgin.

As you might expect, Skype has a completely new interface for Windows RT. Longtime Skype users might not find it very user-friendly to constantly switch to the full-screen Metro version of the app when responding to messages.

Here are some of the better third-party IM clients available. Wikipedia has a good (though possibly somewhat dated) comparison of what various IM clients support.

Trillian: This IM client has been one of the standards for heavy-duty IM use. Trillian (site) has come a long way in the past five years, expanding its offerings from simple chat platforms such as AIM and Yahoo to social networks such as Facebook, Twitter, and Google Talk (now connected to Google+). And yes, it even supports Skype.

Trillian supports most common mobile platforms, and according to a Trillian forum post, there’s a Metro version on the way.

Pidgin: Another popular IM client, Pidgin (site) has a minimalist interface but supports most of the traditional IM client features. You can connect to MSN, Yahoo, AIM, IRC, and ICQ, among other popular chat platforms. It has long been my go-to IM client for Windows, though it doesn’t quite have the robust support of Trillian. For example, it does not natively support instant messaging with Skype, but you can add it with a plugin. At this time, Pidgin also has no mobile-device support.

Miranda IM: According to its site, Miranda is a light, highly customizable, open-source alternative that offers over 350 plugins. In its default form, it’s relatively bare-bones and has an old-school look about it. However, it does offer wide support for various IM protocols, social networks, and dedicated chat platforms. Miranda’s primary weakness is device support — it runs only on Windows.

Imo instant messenger: Whereas most IM clients are local apps, imo (site) is Web-based — although there are downloadable apps for iOS, Android, and BlackBerry. It has wide support for major IM protocols and lets you use your sign-in name and password for other services such as Skype, Facebook, Google Talk, and Yahoo. You can essentially use imo as your IM client from any device that has a browser, making it an excellent backup system should you find yourself on a public computer.

What to expect in future Skype clients

Skype’s plans to grow and expand its reach within the Microsoft ecosphere were unveiled in the Dec. 11 Big Blog post. These plans include increased integration with the enterprise-based Microsoft Lync (more info) and better tutorials and how-to features for Windows 8/RT users. The development roadmap also includes enhanced support for platforms outside Microsoft.

Ending 2012 with the typical Windows fixes

We come to the last set of updates for 2012, and it’s the usual round of suspects — new Internet Explorer and Windows kernel fixes.

But many Windows users will also see an awkward assortment of reissued patches and a slew of Win8 fixes.

MS12-077 (2761465)

Finishing the year with another browser patch

It would not be Patch Tuesday without another fix for Internet Explorer. Even if you use another browser for your day-to-day Web activities, you should install most (if not all) IE updates. KB 2761465 is rated critical only for Vista SP2 and Windows 7 systems using IE 9, and Windows 8 systems using IE 10.

Microsoft doesn’t give a severity rating for systems using IE 6 through 8. Those versions get the update only for a defense-in-depth measure — they’re not vulnerable to this exploit. The defense-in-depth measure blocks cross-site-scripting attacks, in which an attacker convinces a PC user to paste JavaScript code into the browser’s URL field.

What to do: Install KB 2761465 (MS12-077) without delay.

MS12-078 (2753842, 2779030)

Another round of kernel and font fixes

Once again, we’re stomping out bugs in fonts and the Windows kernel — specifically, the TrueType or OpenType font drivers ATMFD and win32k.sys. The updates impact all supported Windows versions except Windows RT, and they’re rated critical.

What to do: It’s anticipated that attackers will use this vulnerability as part of blended attacks. Install KB 2753842 and/or KB 2779030 (MS12-078) as soon as possible.

UPDATE, 2012-12-14: KB 2753842 changed to Wait for now. There are reports the update causes fonts to disappear in CorelDRAW. Other graphics apps might be affected, too.

UPDATE, 2012-12-20: Today, Microsoft released an update of KB 2753842 to solve an OpenType conflict associated with the original patch. You should either install or reinstall KB 2753842.

MS12-079 (2760410, 2760416, 2760421, 2760497)

RTF files, opened in Word, lead to remote attacks

The vulnerability fixed by the updates in MS12-079 just reinforces the fact that HTML-based e-mail can be deadly at times. In this case, malicious rich-text files could be used to take over a PC.

These patches are rated critical for Office 2003 SP3, 2007 SP2 and SP3, and 2010 SP1. They are important for Word Viewer and current Office Compatibility Packs.

What to do: You might be offered more than one of these updates. For example, if you’re running Word 2007, expect to see KB 2760421 and KB 2760416 (to fully protect Office Compatibility Pack). Install the appropriate updates in MS12-079 as soon as possible.

MS12-081 (2758857)

Unicode filenames can lead to attack

It’s a wonder it took someone so long to find this bug. A malicious coder can use a Unicode file name to gain the same rights as a PC’s current user. The update is rated critical and impacts all current versions of Windows, except Windows 8, Windows RT, and Windows Server 2012. We could see attacks using this vulnerability within the next 30 days.

What to do: Install KB 2758857 (MS12-081) as soon as possible.

MS12-082 (2770660)

DirectPlay flaw might lead to DirectAttacks

DirectPlay is a depreciated building block that Microsoft used in computer game development (per a Wikipedia item). Depreciated or not, it’s still included in every supported Windows operating system as part of DirectX — except for the new kid on the block, Windows RT. All other Windows users could be attacked via a malicious Office document with an embedded ActiveX control.

The update is rated important because Microsoft does not anticipate that attackers will be able to build reliable exploits for this vulnerability.

What to do: Despite the update’s relatively mild security-impact rating, install KB 2770660 (MS12-082) as soon as possible.

MS12-080 (2784126) and MS12-083 (2765809)

Two new security updates for Windows servers

We wrap up the latest 2012 Patch Tuesday updates with two items for server administrators — starting with MS12-080.

Microsoft has in the past used some (now vulnerable) Oracle binaries in Exchange Servers. The three patches in MS12-080 update those binaries in MS Exchange Servers versions 2007 SP3 (KB 2746157), 2010 SP1 (KB 2787763), and 2010 SP2 (KB 2785908).

Unfortunately, Microsoft decided to include nonsecurity updates along with the three critical patches. As comments in the Dec. 11 Exchange Team Blog show, some admins are not happy about security and nonsecurity rollups. Moreover, the track record for these rollups is less than stellar, making many Exchange admins gun-shy about installing these rollups quickly.

I don’t blame them. I run Exchange Server in my office, and I plan to wait and watch while others add the patch (and rue the day they didn’t wait).

The patch in MS12-083 (KB 2765809) is only for servers that use the remote-access technology — DirectAccess — and then only for Windows Server 2008 R2 and Server 2012, the two authentication servers for DirectAccess. Rated important, the update fixes a flaw in Windows’ certificate-revocation check. Using a revoked certificate, a malicious client could bypass system security and sign in to servers that are using the IP-HTTPS protocol.

What to do: I recommend holding back on the patches in MS12-080 and MS12-083 — at least until I can report any problems that arise between now and the next Patch Watch.

MS12-043, MS12-057, MS12-059, MS12-060

Numerous do-overs for MS code-signing flaw

If you wonder why you’re seeing more security updates offered this week than those noted above, it’s because Microsoft is still fixing — and reissuing — older updates affected by its code-signing debacle. (I discussed this in the Oct. 11 Patch Watch, and it’s also documented in MS Security Advisory 2749655.)

Just to make things really interesting, Microsoft has given each of these re-released updates new KB numbers! Here’s the quick list:

• KB 2687627 replaces KB 2687324 (MS12-043): an update for Microsoft XML Core Services 5.0, when installed on Microsoft Office 2003 Service Pack 3.
• KB 2687497 replaces KB 2596679 (MS12-043): an update for Microsoft XML Core Services 5.0, when installed with all affected editions of Microsoft Groove 2007, Microsoft Groove Server 2007, and Microsoft Office SharePoint Server 2007.
• KB 2687501 replaces KB 2553260, and KB 2687510 replaces KB 2589322 (MS12-057): patches for specific editions of Microsoft Office 2010.
• KB 2687508 replaces KB 2597171 (MS12-059): an update for Microsoft Visio 2010.
• KB 2726929 replaces KB 2687323 (MS12-060): an update for Windows common controls in all variants of Microsoft Office 2003 SP3, Office 2003 Web Components SP3, and editions of Microsoft SQL Server 2005.

What to do: Ultimately, you should reinstall these updates. But (assuming you installed the original updates) you should already be protected from the related vulnerabilities, so it’s not critical you reinstall these updates to updates immediately.

2506143, 2779562, 931125

Three relatively narrow updates to skip

For time-zone updates, I typically apply the “If it isn’t broken, don’t try to fix it” principle. KB 2779562 is a cumulative time-zone patch for all current versions of Windows. It corrects daylight-saving-time changes in Bahía, the Azores, Fiji, and Jordan.

Included in this month’s Patch Tuesday releases is a root-certificate update — KB 931125. This patch caught my attention when I found it among my Windows 7 optional updates; Win7 is supposed to get its certificate updates automatically. In theory, it should never need manual updates, as Windows XP does. As documented in an MS TechNet Wiki article, the update includes new root certificates from China, the Netherlands, Macau, Sweden, and France.

As regular Patch Watch readers know, several security-certificate authorities have recently been compromised. And after reading a Chinese Financial Certification Authority auditor’s report (PDF) published on the WebTrust site, I’m not confident that the CFCA can successfully ward off all attacks on its certificates. Page three of the report (dated Nov. 2) states, “Management has not placed the CA services in operation.” I think I want a bit more proof of CFCA’s security before installing its root certificates on my systems.

KB 2506143 brings PowerShell Version 3 to Windows 7. If you are in a business setting, your administrator will deploy the update to you. I don’t think standalone computers in home settings need this management framework. Feel free to hide this patch.

What to do: Skip KB 2506143, KB 2779562 (unless needed), and KB931125

2757007, 2757011, 931125

Rollup updates for specialized MS servers

If you’re running one or more of Microsoft’s specialty servers — specifically, Windows Home Server 2011, Windows Small Business Server 2011 Essentials, or Windows Storage Server 2008 R2 Essentials — three rollup updates offer better support for Apple Mac integration and also fix other issues noted in the respective bulletins.

The updates include:

• KB 2757007, for SBS 2011 Essentials
• KB 2757011, for Home Server 2011
• KB 2757013, for Storage Server Essentials

All three updates are installed on the servers; the updates will then trigger a client-side update as well.

What to do: Admins should install these updates as soon as possible.

2771431

A special Patch Watch for Windows 8 and RT

For this Patch Tuesday week, I’m giving Windows 8 pioneers a short patching reprieve. Microsoft has released numerous Windows 8 updates recently, and there are many issues related to these updates. So I’ll review them in a special Patch Watch edition in next week’s Windows Secrets.

For now, however, it’s critical that Win8 users install KB 2771431; it fixes issues with Win8’s updating system. For example, when Windows Update runs an applicability scan, the system experiences high CPU usage and the scan takes longer than it should.

What to do: Install KB 2771431 immediately and hold off on the many other Win8-specific patches until I review them next week.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.