Should you use Windows Live Messenger?

Should you use Windows Live Messenger?

By Woody Leonhard Windows Live Messenger — the successor to MSN Messenger — hit the stands a week ago on Wednesday. That was version 8.0.0787. Ancient history. Less than two days later, Microsoft released a new version, 8.0.0792. Hooo boy. Here we go again.

So which Microsoft Messenger is which?

And you thought Microsoft’s software was complicated.

Microsoft has an amazing way with product names, wouldn’t you say? I mean, any company that can call its desktop search program "MSN Search Toolbar with Windows Desktop Search" deserves some sort of prize.

Over the past seven years, we’ve seen names like "Windows Messenger" (which is now presumably Windows Dead Messenger), "MSN Messenger," ".NET Messenger," and now "Windows Live Messenger" all applied to essentially the same product, its derivatives, and its plumbing. You’re to be forgiven if you don’t get the names straight.

The original MSN Messenger first appeared in 1999. Microsoft made it fully compatible with AOL Instant Messenger. The folks at AOL took umbrage, changed a few bits, and knocked MSN off the AOL network. Lawsuits ensued. When the dust settled, AOL had its network, Microsoft had a different one, and Yahoo! had yet another. Google Talk came out with Jabber, an (arguably) open network. Trillian talked to all of them, to a greater or lesser extent. A true Tower of (Messenger) Babel.

History repeats itself with Windows Messenger

Five years ago, Microsoft "forked" Windows Messenger, removing that version from the MSN Messenger mainstream to handle NetMeeting and video conferencing in Windows XP. Windows Messenger was stodgy and dowdy and functional, but it was relatively stable. New versions appeared every year or two, whether we needed them or not.

Meanwhile, MSN Messenger, the darling of the rapid-development, rapid-deployment crew, barreled ahead. We saw steady improvement in the product, delivered in a much more timely fashion. Too timely, in fact. New minor MSN Messenger versions seemed to roll out every week. Some versions of MSN Messenger didn’t even communicate with Windows Messenger itself.

Last week, Windows Live Messenger experienced some, uh, technical difficulties. Many folks complained that the servers weren’t working, that they lost their Contacts (at least temporarily), and that they were seeing loads of inscrutable error messages. It isn’t clear to me if the problems could be traced to the program itself or to the underlying network, but those Windows Live Messenger pioneers who tried the new version after Microsoft took it out of beta had to dig a lot of arrows out of their backs.

By the way, you can make sure that you’re running version 8.0.0792 by clicking the down-arrow to the left of the "minimize" icon, and choosing Help, About Messenger.

The new Live Messenger features

All right, I admit it. I don’t use any instant messenger unless I have to. I find IM even more distracting and disruptive than the telephone — and I avoid the phone whenever I can! E-mail is so much less, ah, presumptive.

That said, I will confess to using various IM programs from time to time. But I use them only if I’ve made an appointment with the other party in advance. I call that good manners. (You can call me Old School.)

At its most irritating level, this new version of MSN Messenger, er, Windows Live Messenger, is just like the last one, only more so. Every nook and cranny is filled with advertising and come-ons. You can pay to join Match.com. You can buy music at Rhapsody. You can "find great deals on eBay." You can "get the latest scoop on Xbox and Xbox Live Gaming" or learn about your credit score or find a job or post a résumé. Golly. How thoughtful.

There’s even subliminal advertising. Many of the backgrounds and window accoutrement look like Windows Vista’s forthcoming Aero user interface.

One touted feature leaves me shaking my head: of course you can use Windows Live Messenger to make a PC-to-PC or PC-to-phone call. But you’ve been able to do that since MSN Messenger version 3, six years ago. Remember Net2Phone? Maybe Verizon is cheaper than Net2Phone, but we’ve been here, done that.

The one new app that caught my eye appears to be a re-make of NetMeeting’s folder-sharing capability. If you click on the Share a Folder icon, WLM asks you to specify which of your Contacts you want to share files with, then lets you drag files into the shared folder. You can’t perform "whiteboard" kinds of functions on the shared files. In other words, you can’t make changes to the file while others watch the changes being made in real time. But the files do get synchronized, sooner or later, when changes are made. I found the whole process glacially slow, but I’m running on a rather plain-vanilla ADSL line.

The things Live Messenger misses

So what’s not to like?

I found one PC running MSN Messenger that couldn’t "see" that I was online and available with Windows Live Messenger. That’s a show-stopper for me. I won’t require all of my correspondents to switch to Windows Live Messenger simply to be able to see me.

You still can’t import your Contacts directly from Outlook. I guess we’ll have to wait for Outlook 2007.

I was really looking forward to trying the new interoperability between Windows Live Messenger and "Yahoo! Messenger with Voice (BETA)." Although building this bridge between Microsoft’s messaging network and Yahoo!’s messaging network only rates as a tiny step compared to the long-standing polyglot capabilities of Trillian, at least it’s a step in the right direction.

Microsoft’s effusive press releases about this newfound friendship between the two old rivals nearly drove me to a chorus of Auld Lang Syne. "With Windows Live Messenger, you can talk to your Yahoo! contacts. Forget needing multiple accounts to talk to all your friends — you’ll be able to see when they’re online and communicate with them from one place."

Truly a match made in heaven. Or, perhaps, in desperation.

Apparently, Microsoft couldn’t get the bridge to work before it shipped Windows Live Messenger. So the Windows Live Messenger-to-Yahoo! Messenger with Voice connection is now being billed as a "beta."

I tried everything and couldn’t get the connection to work. You may have better luck. If you want to try it, fire up Windows Live Messenger and click the Yahoo! icon on the left. You’re greeted with the news, "We’re knocking down the wall! Now with Windows Live Messenger, you can talk to your Yahoo! Messenger contacts too… you’ll be able to talk to all your friends from one place." Right. At least, if none of your friends use AOL Instant Messenger or Google Talk.

At the bottom of the breathless prose sits a line that says: Try It. Click the line and you go through a very rudimentary "beta signup." Shut down Windows Live Messenger and bring it back up again, and you’re supposed to be able to communicate with Yahoo! Messenger contacts. I couldn’t, but it may have been the phase of the moon.

Will Live Messenger/Yahoo beat ‘open’ IM?

Although Windows Live Messenger has a few neat capabilities, in the final analysis I recommend that you use "open" networks such as Jabber (via Google Talk) or a polyglot system, such as Trillian.

Maybe Microsoft and Yahoo! can come up with compelling reasons for people to sign on for their advertising-laden proprietary services. I certainly haven’t seen anything that would convince me.

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All-In-One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).

IE bugs not fun for users

By Chris Mosby As I mentioned in my last column, the Metasploit project has been holding a Month of Browser Bugs. Every day, a new vulnerability is published, the majority affecting Internet Explorer. Releasing these flaws may be fun for Metasploit, but it certainly isn’t for the rest of us, who are forced to wait while Microsoft catches up on its patches.

IE graphics control can cause DoS

H.D. Moore identified a flaw in IE 6 that causes the browser to crash, allowing a denial-of-service (DoS) attack. This is due to a NULL pointer dereference error in the Microsoft DirectAnimation Structured Graphics control ("daxctle.ocx") while loading a specially formatted "SourceURL" parameter.

This can be exploited by a hacker who gets a user to visit an infected Web page. Administrator rights are not required for this exploit to work, but a hacker does have to make the user load the infected page.

What to do: Since this vulnerability is caused by an ActiveX control, then I suggest disabling IE’s setting known as Run ActiveX controls and plug-ins. If you’re still using IE and you’ve followed Brian’s "Protect IE without SP2" article from the Nov. 18, 2004, newsletter, then you’ve already taken care of this.

More information: CVE-2006-3427, SecurityFocus, OSVDB, FrSIRT

Framesets within tables cause IE crash

Similar to the vulnerability in the last section, IE 6 has another flaw — discovered by Metasploit — that can also cause a DoS condition by making the browser crash. This flaw is not based on ActiveX but is due to a flaw in the browser’s code. It is caused by a NULL pointer dereference error — similar to the flaw in the previous section — when a frameset is added to a table object by the appendChild() method.

This flaw can be exploited by a hacker if a user visits an infected Web page that’s constructed in the way described above. Administrator rights are not required for the exploit to function, but user interaction is.

What to do: Use another browser, such as Firefox. If that’s not an option, then I suggest that you do not use IE to visit Web sites at random — visit only those sites that you’re required to use for business purposes.

More information: CVE-2006-3471, SecurityFocus, OSVDB, FrSIRT, XFISS

Exploited ActiveX object can compromise PC

The Metasploit bunch also released details of yet another flaw in IE 6 that can cause the browser to crash. This flaw is due to a malformed RDS.DataControl ActiveX object that has an invalid URL. When this happens, IE is unable to control the length of the URL value, causing a page violation/heap overflow. Successfully exploiting this flaw could allow a hacker to crash the browser or run infected code.

Like the flaws in the last two topics, this flaw can be exploited by persuading a user to visit an infected Web page. This flaw does require user interaction to work properly, but any infected code that was run would do so with the rights of the user.

What to do: Since this vulnerability is also caused by an ActiveX control, you can also protect your computer by disabling IE’s Run ActiveX controls and plug-ins setting. If you’ve already followed Brian’s "Protect IE without SP2" article from the Nov. 18, 2004, newsletter, then you’ve already done this.

More information: CVE-2006-3510, XFISS, SecurityFocus, OSVDB, FrSIRT

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.

Patching isn't just about Microsoft

By Susan Bradley There are products that need major patching this week, but they aren’t all from Microsoft. We’re so used to Microsoft programs having security implications if we don’t patch that we forget the many other software programs that can impact our systems.

Even banner ads can harm you

A good headline should grab your attention — it shouldn’t, however, impact your browser. But that’s exactly what some banner ads on Myspace.com were doing last week. These infected ads were using an old Microsoft picture flaw that was patched in January by MS06-001 (912919).

Earlier, Myspace fell prey to another attack in the headline area. The bloggers at ChaseandSam first reported on their site that home pages were getting snippits of code redirecting visitors to another page ostensibly about 9/11. The hacker site was using a Macromedia Flash flaw to exploit systems.

As a result of this, I’ve signed up for Adobe’s security notification service. Adobe has released an update on Mar. 14 to fix the flaw. Be sure you’re using the latest version of Macromedia Flash, which is 8.0.24.0.

For more on the MySpace problems, see Ryan Russell’s column, below.

MS06-034 (917537)
The first IIS 6.0 patch stumbles a bit

Brian covered in great detail in his July 20 news update three problems with MS06-034 (917537). As he stated, Microsoft’s fix on July 17 corrected two of the three issues with the Internet Information Services patch, but you may still be experiencing one issue.

To install MS06-034 properly, you may need to shut down your antivirus program temporarily while patching. As Brian said, if you have antivirus running on a server, shut it down and then reenable it after the patching process has completed.

I personally did not find that the patch failed quietly, as the Microsoft Security Response Center indicated. In the failed patch jobs that I saw, the failure was obvious, and the log files clearly showed that the affected asp.dll file was not being copied over.

Voice over IP needs patching, too

In the small-business arena, many folks are looking to VOIP (Voice Over IP) to reduce costs and provide more flexibility. Asterisk is one VOIP vendor that has made big inroads. But, like any piece of software, VOIP too needs maintenance.

Recently two issues came to light that were posted by XSS and released on the Asterisk Web site. The first results in a denial of service to your phone system and to your Internet connection. This has been fixed in the latest update. The new version is 1.2.10, as documented on the Asterisk site and by the Information Technology Information Sharing and Analysis Center (IT-ISAC) in alerts 3877 and 3878.

It’s quarterly Patch Tuesday for Oracle

Oracle runs many of the world’s large databases. Once a quarter, the company comes out with its "Patch Tuesday" notification. Already Red Database Security has released four advisories about SQL injection flaws corrected by Oracle’s updates. These advisories are linked to from the bottom of Red Database Security’s critical patch update page.

Databases are probably the slowest software to get updated and upgraded. Unfortunately, the worst of the new Oracle issues could lead to either remote control of your system or unauthorized information disclosure. Attackers don’t need to have rights to the database to perform these tasks, as described in the IT-ISAC analysis.

Ethereal’s new version needs patching

Ethereal is a program that allows you to look at the raw traffic going between your computer and the Internet. It was recently renamed Wireshark due to its developers moving to a different company, as described in its FAQ.

Under the program’s new name, it already needs an update to version 0.99.2.This corrects an issue in which a hacked TCP/IP packet could take control of your system.

Winternals, Sysinternals become blue badges

While this is not exactly patching related, it’s noteworthy enough to cause a ‘buzz’ in the IT world nonetheless.

Winternals and Sysinternals software, which grew into a wide range of diagnostic tools for Windows, were recently bought by Microsoft. When individuals become Microsoft employees, they are deemed a "blue badge" because of the telltale color of the security badge they wear on campus. Mark Russinovich and Bryce Cogswell are now blue badges.

Sysinternals’ best known tools, Filemon and Regmon, have been used by many an IT pro in their daily duties. At this point, it’s unclear how many of the tools will be merged into the operating system or will remain as free utilities.

MS06-034 (917537)
Reading log files tells the patching story

When you patch, a log file is left behind on the machine that tells you the patch success or failure on that system. Normally the successful completion of Microsoft Update is enough, but in the case of the recent IIS patch, 917537, the patch’s failure to install meant that I had to dig into the details.

The log files may be a bit cryptic, but you can sometimes see what the problem is. In the case of the IIS patch, it was very obvious that the patch didn’t complete. As you can see from the sample of lines shown below, you could tell that the patch didn’t complete.

If you have a Windows 2003 SP1 box or an SBS 2003 SP1 box, review your 917537.log file, which should be located in the C:Windows directory, to ensure that the patch completed. Here’s an excerpt from my log file:

• 8.484: KB917537 installation did not complete.
• 8.484: Update.exe extended error code = 0xf201
• 3.359: KB917537 Setup canceled.
• Select ‘OK’ to undo the changes that have been made.
• 13.359: Starting process: C: WINDOWS $NtUninstallKB917537$ spuninst spuninst.exe /~ -q -z
• 14.844: Software Update Rollback has completed with return code 0xbc2. This rollback requires a reboot.
• 14.844: KB917537 installation did not complete

Patching at night and on weekends

Calling into the Microsoft Security hotline for server issues outside of U.S. business hours may require that you have a bit more patience. In March, Microsoft began an "after hours" policy under which only business-critical issues can receive support between 6 p.m. and 6 a.m. Pacific Time.

The 1-866-PCSAFETY phone line is still the main phone number to call in the U.S. with security patch issues. While issues you have with a security bulletin are still a free call, you may spend a bit more time waiting while navigating the phone lines. You may find that patience is indeed a virtue.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

Readers review alternatives to Windows Update

By Brian Livingston The shock waves caused by Microsoft’s decision to quietly install Windows Genuine Advantage through its security update mechanism are still being felt by my readers. The marketplace for non-Microsoft antivirus packages, security suites, and the like is crowded with well-known competitors. By contrast, the field of Windows Update alternatives is new and the players are little-known. Until more reviews have been published by major test labs, I’ll keep bringing you my findings and the comments of Windows users who are doing their own analyses.

Leak in Automatic Updates burns up memory

As readers of this newsletter know, the fact that Microsoft now allows marketing gimmicks to be downloaded as "critical security updates" caused me to recommend on June 29 disabling Automatic Updates (AU). Now it turns out that AU has other problems. If you’re not using AU, why should you suffer from the CPU cycles and memory it consumes?

Reader John Cullen writes:

• “Your recent editorials regarding Windows Update (WU) and the use (or not) of Automatic Updates (AU) have been, to say the least, enlightening. I was particularly pleased with the recent offer by Shavlik Technologies’ of a year’s use of their NetChk Protect software, an offer which I have already taken advantage of. …

  “Although there has been much hue and cry over the use of AU, there are those amongst us who are simply unable to use it, whether we want to or not. I’m talking about machines in a corporate setting and for whom group policy settings are in place. These settings disable access to the AU controls within XP itself and prevent the WU control from operating after accessing the WU site directly.

  “Of course there are ways around this (including using NetChk Protect!), but that’s a different story. The problem is that blocking access to AU has an unfortunate side-effect. There appears to be a rather significant memory leak in the AU code, which manifests itself as one of the 5 or 6 svchost.exe processes that are always present, gradually consuming huge quantities of RAM and VM.

  "In my case, after approximately three weeks of uptime, the svchost.exe in question was holding onto approximately 200MB of RAM and over 400MB VM. (My machine has 1GB of RAM, but even so, performance degradation starts to be noticeable when this happens!)

  “It’s not a good idea to kill the svchost.exe process in question (although SysInternals’ Process Explorer utility does show all individual processes loaded by each svchost, and allows for them to be killed). The best solution to the problem is simply to disable the AU service itself.

  "Setting the service “startup type” to “manual” does not seem to solve the problem. Occasionally, some process or other (or perhaps another group policy setting) was causing it to restart. However, setting it to DISABLED completely solves the memory hog problem.

  “And anyway, if you’re not allowed to use/access AU/WU, there’s no point running the service.

  “I hope this tip might be useful to others who are perhaps wondering why there always seems to be a svchost.exe consuming huge quantities of memory/VM!”

Disabling the Automatic Updates service is an advanced procedure, so don’t do it if you’re unsure of the benefits. It’s definitely not advisable to kill svchost.exe, because this process may serve many different applications, not just AU. Microsoft describes this in detail in Knowledge Base article 314056.

To disable AU, click Start, Run, type services.msc, and press Enter. On the Extended tab, right-click Automatic Updates, click Properties, and change Startup Type to Disabled. This stops the WUAUSERV process. To reverse this, repeat the steps and change Startup Type to Automatic.

You may see an error message from Windows if you run WIndows Update with the service disabled. Microsoft provides complete technical information in KB articles 883614 and 910337.

AU’s memory consumption is just one more reason to question Microsoft’s strategy for auto-updates and look for alternatives that can perform this service more reliably (and without spyware). There’s more on AU alternatives in our next comment.

More info on AutoPatcher as an alternative

I printed a comment from reader Michael Klein in the July 13 newsletter recommending AutoPatcher, another free service that replaces Windows Update. Andrea Perotti has sent in a longer review:

• “I’ve followed this month the evolution of the exodus from Windows Update.

  “I found myself another solution to the lack of an automatic patching system: AutoPatcher.

  “This is a project born from the Neowin forum, it’s stable, well developed and easy to extend.

  “It’s based on incremental patches. You have to install first a full release of AutoPatcher. You can choose the lite version (only Windows Update) or the full version (updating of other apps included. After installing the full version, the next time there is a release of AutoPatcher you’ll have to download only the update patch for the full or light AutoPatcher version, not the whole patchset.

  “Usually the releases follow the Microsoft release time, once a month.

  “Launching the installer, it will extract into a directory all the patches and the updates. Then it scans the directory tree just created to load the information, presented in text files, for each patch or update present and shows you the result.

  “The GUI is clear and easy to use, you can even uninstall patches you installed.

  “There’s an interesting section that allows you to apply some modfications to the Windows Registry to enable or disable some hidden features. Obviously, even this ‘trick’ section is reversible.

  “The tool is totally free and the structure of the directory tree and the description files is easy to learn and extend.

  “Give it a try. For a single PC user, it’s really nice and useful and doesn’t require any bloated components (.NET anyone?).”

The AutoPatcher home page says the site is "under construction," and the software itself may be a bit daunting to new users. One great feature of AutoPatcher, however, is that the program supports burning update files to CDs or DVDs or deploying patches from a directory on a local or network hard drive. This helps people who commonly build PCs or format their old PCs to install and update Windows without using an Internet connection.

A technical article on using AutoPatcher and Novell ZENworks to patch multiple workstations is available at the Novell site.
 
New version of ZoneAlarm irks reader

Security suites seem to be some of the most complex software commonly added to PCs by homes users and small-business users. That means there are plenty of opportunities for conflicts with Windows. Reader Peter Cramton writes:

• “All my computers have become unstable as a result of the latest ZoneAlarm version 6.5.722. The program causes numerous copies of dumprep.exe to run and consume 100% of the CPU.

  "This happens with all three of my Windows XP machines (2 Dell desktops and 1 ThinkPad). I finally discovered that it was ZoneAlarm causing the problem, with some Google searches on dumprep.exe cpu.

  "All is well, now that I have uninstalled 6.5.722 and replaced it with [the older] 6.1.744.001. There is no mention of this problem on the ZoneAlarm site.

  "ZoneAlarm needs to be much more careful in releasing new versions. I’m sure 6.5.722 runs on some systems, but it clearly has some serious incompatibilities with some programs.

  "The experience was more frustrating because the ZoneAlarm uninstall leaves lots of files behind that make it impossible to install 6.1.744. One needs to include the parameter /clean in the uninstall command line in order to get a clean uninstall, which then will allow reinstallation of 6.1.744.001. Very frustrating! I lost over a day on this. Please alert your readers.”

As you can see in the Security Baseline section, above, ZoneAlarm Security Suite has been knocked out of the top-rated position by Symantec’s Norton Internet Security Suite, based on an in-depth review by PC World Magazine.

If you use Zone Alarm with no problems, there’s no reason for you to immediately chuck it. But if you’re seeing the issues that Crampton diagnosed — or it’s time to pay up to renew your license for the ZA Security Suite — the Norton suite should get your consideration.

VMware Server is now offered free

Virtualization, or running more than one operating system on a single machine, is hot, and VMWare has just turned up the temperature. Reader Allyn Hunt writes:

• "More of a suggestion than a tip, but VMWare has announced its free (as in beer) server product this week (which comes with no restrictions and up to 100 licenses per request). Seeing as how virtualization in general is getting nothing but praise by system administrators and budget-conscious managers everywhere (lower TCO), I’d say it’s time to devote a newsletter to the industry shift that is already in full swing (and which this announcement will only accelerate).”

VMWare’s announcement of its free offer is explained in a press release. The company sells one year of support for a list price of $350 USD per two processors. Subscribers, let me know your experiences.

A bad month for Microsoft products

By Ryan Russell This is, of course, a Windows-centric newsletter. That means that sometimes it can be difficult writing about security issues without picking on Microsoft. Drive-by downloads still mostly affect Internet Explorer, not other browsers, and Microsoft Office products are showing cracks in the foundation.I’ll explain below.

The ‘Million Malware March’ for MySpace

Here at Windows Secrets, we’ve many times discussed browser bugs, drive-by installs, and the resulting malware. Yet another example hit MySpace.com recently. (For patches, see Susan Bradley’s column, above.) This is an extremely interesting case because of the volume of affected users and the method of infection. It appears that as many as a million MySpace visitors may have been infected with spyware served up via MySpace’s banner-ad mechanism.

Brian Krebs does his usual excellent reporting on the topic in his Washington Post Security Fix blog. In it, he reports that iDefense analyst Michael La Pilla was offered a suspicious exp.wmf file when visiting the site.

It turned out to be a file trying to take advantage of the WMF hole that was patched by Microsoft in January. Since Michael was using a Linux machine to browse, the infected file was offered as a download instead of trying to run. Michael found what appeared to be the tracking site for the infector, which had a counter that indicated 1.07 million machines had been infected. Brian’s research indicates earlier examples of the same WMF-via-banner technique being used back as far as July 8.

Using ad space to attack visitors is a fairly old and somewhat obvious attack (to an attacker). For example, when I was working for SecurityFocus in 2001, our main site was defaced. Details are discussed in an Attrition.org post. The summary is that an attacker by the handle of "Fluffi Bunni" — who had a penchant for attacking security sites — took over the servers of the company that handled our banner ads. The end result was that the hacker’s banners appeared at the top of each page on our site. Our machines were not broken into, in that instance, but because part of our site originated elsewhere, it left an avenue of attack.

Still, the sheer volume of attacks in the MySpace case might be an eye-opener to some. I see various Web-site-ranking mechanisms that rate MySpace as one of the Top 10 most-trafficked sites in the world. Some say it’s as high as 2nd, after Yahoo.

My basic point is that one cannot rely on limiting users to a "trusted" set of Web sites as a security mechanism. That won’t let you get away with not having your patches in place. It looks like 1 million people or more didn’t.

Incidentally, having previously looked at similar "Web counter" malware, which counts the victims of a hack, I’m sometimes skeptical about trusting the numbers as presented.  But yes, I do believe that lots of users were compromised.

A flood tide of Office vulnerabilities crests

You may have noticed Chris, Woody, and Susan talking about a lot of Microsoft Office vulnerabilities over the last month or two. A good example is our June 29 issue. Woody discussed Word and Excel zero-day attacks and Chris talked about three Excel vulnerabilities. It turns out that yes, there is a trend.

This trend is spelled out in an article by Robert Lemos at SecurityFocus. Robert says that so far this year, there’ve been 24 reported Office vulnerabilities. That’s 6 times as many as in all of 2005.

The other half of this trend is that a few of these cases came to light as zero-day, targeted attacks against particular companies. We don’t have all the details, since it appears that neither the attackers, Microsoft, nor the victimized companies are interested in giving a lot of information.

What does this mean for you? It means you need to go back to being paranoid about Office documents showing up in your e-mail. Dust off your old e-mail gateway filters. If you were around for the VBScript and macro virus days of 2000-2002, you know what I mean. The icon for a .vbs file still sets off my automatic "virus panic mode."

Around my office at work, we’re not huge fans of Office patches. When Office 2000 came out, Microsoft made things painful by requiring some form of the CD-ROM in order to apply patches. Office patches also tend to be complicated, they apply to lots of different components, and so forth. There’s just a lot of general complexity, which is the enemy of security.

As Lemos points out in his article, this new wave of problems has swamped the Office programming team. It all means that you’re not getting a re-architected, carefully audited version of Office soon. If the team ever does release such a product someday, I may have to finally get rid of my old Office 2000, which I’ve never had a compelling reason to replace. (And which they still patch, just not with Microsoft Update.)

Incidentally, where are all the new Office vulnerabilities coming from? Most likely from vulnerability researchers with fuzzers. Allow me to explain.

Fuzzers help hackers find flaws

A fuzzer is a piece of software that’s designed to feed all possible inputs in a semi-random manner to a program under analysis. Another way to put it is that a fuzzer feeds structured garbage to a program until it crashes.

Once a crash occurs, the researcher looks at the inputs and reproduces the crash while tracing with a debugger. This way, the analyst can determine if the crash is exploitable — if the "garbage" is structured just right.

If you’re fuzzing Office, then you write documents in Word, Excel, etc., throw in what you think might be bogus values of some of the fields, and see what happens. This is likely the discovery technique for many of the recent Office vulnerabilities.

You can do it for Web browsers too. If you’re H.D. Moore, then you end up with the Month of Browser Bugs. They’re mostly crash bugs (one assumes that he’s keeping some more-sexy, exploitable ones for other uses) that affect a number of different browsers. Be careful about clinking on links that say "Demonstration."

And yes, Internet Explorer is still over-represented here, too. For details, see Chris Mosby’s column, above.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.