To auto-update or not to auto-update

To auto-update or not to auto-update

By Brian Livingston

I published a Woody Leonhard column as the top story last issue while I was traveling, knowing that he’s opinionated and always gets strong reactions. Well, he didn’t disappoint me.

Reacting to several mistakes Microsoft made in its Automatic Updates downloads in April, Woody railed against Redmond’s patching strategy, saying, “Windows auto-update is for chumps.”

Woody made some very good points, which Microsoft has done nothing to rebut. There’s an important lesson here. I’m going to use this space today to give you the best advice I’ve been able to pull together.

An April that will live in infamy

For those who don’t know the details of what I call Microsoft’s April Fool’s patches, here’s a quick recap, in increasing order of severity:

• An obscure hotfix for XP SP2 machines, patch 900485 from Dec. 2005, was downloaded as a “critical” security patch via Automatic Updates on Apr. 25, two weeks after Redmond’s regular Patch Tuesday distribution. Almost no one needed this hotfix, although it seems to have done no harm. It was apparently inserted into the Automatic Updates mechanism by accident, according to some newsgroup comments, although Microsoft still hasn’t explained the gaffe.

• Security bulletin MS06-016, released on Apr. 11, made it impossible for some users of Microsoft’s free Outlook Express e-mail program to open their Address Books or reply to e-mails. Microsoft acknowledged this on Apr. 26 and published Knowledge Base article 917288. The company describes how to backup, delete, and then import the Address Book to fix OE. But Redmond, six weeks later, hasn’t issued a corrected MS06-016 patch to save people from having the problem in the first place.

• MS06-015, released on the same Patch Tuesday as MS06-016, conflicted with widely used nVidia video drivers, some HP printer/scanner/CD/DVD software, Kerio Personal Firewall, and some other applications, as described in KB 918165. The problem caused Microsoft Office components and some other apps to freeze when accessing files in My Documents or My Pictures, interfered with Windows Explorer and Send To, and prevented Internet Explorer from visiting typed-in Web addresses unless they were prefixed with http. The security bulletin was re-released on Apr. 25 so users could install a version that corrects the problems.

• Windows Genuine Advantage, a Microsoft program that checks Windows installations for valid licenses, was pushed out as a “critical” security update to the U.S., U.K., Australia, and other countries beginning on Apr. 25. It’s impossible to use Add/Remove Programs to remove the GA app, which displays warnings (once per hour after 14 days) if the software considers a copy of Windows to be nonlicensed. (Microsoft explains in KB 905474 how to disable the warnings until the next update is installed.)

I consider the surprise Genuine Advantage downloads to be the most severe blunder. Microsoft had previously said the tool would be strictly opt-in, but the midnight installs flooded some companies’ help desks with calls from panicked users. No one expects Microsoft to give away its products for free. No responsible company, however, slams its biggest, most legitimate customers with a change of this magnitude with little or no notice other than a press release the day before.

In the face of the missteps described above, Microsoft has said almost nothing by way of explanation. The Redmond company is filled with thousands of talented and well-meaning developers, but they don’t drive the corporation’s policy in this area. After several inquiries seeking comment, a Microsoft spokeswoman told me: “Unfortunately, we are unable to provide you with an interview at this time due to lack of spokesperson availability.”

I’ve previously said that home users of Windows (as opposed to advanced users) should keep Automatic Updates turned on. That was because Microsoft assured the public that Automatic Updates would only be used to distribute security updates rated as “critical.” Microsoft’s abuse of its security upgrade mechanism to stealthily install Genuine Advantage, in addition to April’s outrageously buggy patches, is inexcusable. It’s clear that corporate executives have made a deliberate decision to use Automatic Updates to install software that benefits the company, whether or not it helps users or has any relationship to users’ security.

Pros update manually, novices automatically

Because of the April Fool’s patches, I want to clarify my recommendations on who should keep Automatic Updates turned on and who should use the Control Panel to turn it off.

• Advanced users (including companies with full-time IT staff) should never use Automatic Updates. Professionals should first test Microsoft patches — and every other company’s patches — on isolated machines. Read the free and paid versions of the Windows Secrets Newsletter that are published 2 days after Patch Tuesday with warnings of problems. Then use patch-management techniques to carefully install the needed upgrades to end users.

• Novice users, who can’t or won’t read up on reported patch problems before updating their machines, should leave Automatic Updates turned on. Beginners have a greater risk of catching a virus than they do of encountering a serious patch incompatibility.

Some advanced users may disagree with my recommendation that novices should leave Automatic Updates turned on. If you’re the main tech support for a newbie, I’d say you can disable AU if a PC has the four items in our recommended Security Baseline (below), which provides good general security. Patches should still be installed manually within a few days of release, after you check news reports for potential conflicts.

Supporting Grandma’s PC means auto-update

We received many comments supportive of Woody’s distrust of Automatic Updates, which he’s been publicly stating for years. We can give you only a overview here of the positive and negative reactions. As a representative of those who dispute Woody’s view, reader Dave Nickason writes:

• “It is irresponsible for Woody to argue for people to turn off AU unless he wants to be the one supporting the unpatched machines of all of our parents, grandparents, and siblings. Some novice PC user like my 81-year old Dad will take that advice, never patch again, and I’ll be left to reinstall Windows when his system quits working.”

I have to agree that Windows amateurs, which probably includes the majority of Windows users, won’t update their PCs unless it’s done for them automatically. Given the latest round of MS mistakes, people who support relatives’ PCs will have to accept that auto-updates may eventually cause some conflict that requires time to unravel. But this will probably be a less serious problem than dealing with an unpatched machine that’s caught hard-to-remove viruses.

Microsoft is a business, get used to it

Other readers also made a distinction between novices and power users, while not applauding Microsoft for its behavior. Reader Kevin Gagel writes:

• “I’m writing in response to Woody Leonhard’s article about Micro$oft’s automatic updates.

  “While I agree in principle with Woody’s assessment of M$’s trustworthiness, I cannot agree with disabling the auto-update feature.

  “I’ve witnessed first hand the benefit of having it enabled, as well as seeing how it can fail us.

  “None the less, I have witnessed far more ‘good’ (I shudder to think M$ can do good) then bad by updating systems automatically.

  “What users out there have the ability to ‘test’ a patch before applying it? What users out there will ‘know’ when it is the right time to apply a patch?

  “Since M$’s activation of what they call a firewall, I’ve witnessed a huge reduction of viruses being e-mailed to us.

  “Leaving systems vulnerable because of someone’s incompetence is not the answer. Woody should know that there is a larger number of technically inept end users then there are technically savvy.

  “I think that Woody could have done a better job (and justice to the end users) if he’d presented a better balanced position of pros and cons instead of just espousing his nonconspiracy conspiracy theory.

  “M$ is and allways has been a business looking to make a buck. It will do whatever it takes to protect that, including pushing noncritical “critical patches” that verify the system is not running a bootleg copy of Windoze.”

In the view of this reader and other readers, Microsoft has spent many years building up a capacity to install software automatically, and it can only be expected that the software giant will use it for business advantage.

Do one thing at work, another at home

A different opinion was provided by those who are required to auto-update by work policies, but disable Automatic Updates on personal machines, to which they’re willing to devote more care. A reader who goes by the name Ralphy writes:

• “Unfortunately, some of us don’t have the luxury of a corporate environment. I work for a Department of Defense unit and must have our boxes patched within a certain time frame. It is impossible for our office to be able to ‘test,’ then patch. We have too many boxes stretched over a large area.

  “If it weren’t for automatic updates, we would be spending a lot more time doing updates rather than other mission-essential items. I do agree that last round was bad, but out of 500 machines only 3 were bothered by the update that you spoke of. Those were the only ones we had to fix.

  “Having said all of that, at home, I do the opposite. I wait for 2 weeks before I run the updates manually. I’ll let the rest of the world be Microsoft’s test bed and see what works and what doesn’t.

  “However, I still rated it a good article but not for the business world.”

This underscores the theme of, “Those who can, patch manually. Those who can’t, patch automatically.”

Why Security Baseline recommends MS Update

A few readers questioned two lines in our Security Baseline that recommend using Microsoft Update for MS software and whatever auto-update features other vendors’ software may have. Reader Russell Atwood writes:

• “In issue 75, I found it humorous to have a long article from Woody Leonhard on the trials and tribulations of Windows Automatic Update (don’t let it happen to you), and in the Security Baseline, instruct customers to do exactly what Mr. Leonhard says don’t do (turn on Automatic Update).

  I understand both sides, but it still makes me smile with the irony of it.

  Great newsletter, keep up the good work.”

The Security Baseline actually never mentions Windows’ Automatic Updates. It says, “Individual users should opt into the new, free Microsoft Update, an improvement over Windows Update.” Both Microsoft Update and the older Windows Update allow AU to be enabled, disabled, or set to “notify only,” as you please.

To make myself perfectly clear, I’m adding to the Security Baseline a recommendation that advanced users disable AU and study the latest copy of this newsletter before installing any Patch Tuesday upgrades.

Norton Internet Security imposes auto-updates

Norton Internet Security, a software security suite, complains and asserts control over auto-updates if users choose manual updates instead. Reader John Lambert writes:

• “My Norton Security flags me that I have 1 ‘problem’ affecting my system when I take Woody’s advice to select a button other than the option to take auto-update. Should I worry about this?”

This is surely a harmless warning, although irritating. A more serious dificulty is that NIS can change Windows’ auto-update settings without notifying you. A reader by the name of Scott writes:

• “Turning off Windows’ auto-update may not be enough to prevent a nasty update surprise. Those who use Norton Internet Security should be aware that Norton will automatically turn on Windows’ Automatic Updates unless you turn off automantic updates in Norton. You will continue to get Windows’ Automatic Updates downloaded and installed whether you like it or not.

  Turn off automatic updates in Windows and Norton if you want any hope of control over updates.”

Again, my advice is that novices should auto-update, which includes auto-updating Norton Internet Security and other security software. Everyone else should learn to read up on patch problems and then install new patches manually within a few days of their release.

The readers named above will receive a gift certificate for a book, CD, or DVD of their choice for sending me comments that I printed. To send more information about auto-updates, or to send a tip on any other subject, visit WindowsSecrets.com/contact.

Ads accepted by most, with caveats

We re-introduced ads into the May 11 issue of the newsletter. We formerly had a moratorium on ads for more than a year, because some major ISPs bounced one of our newsletters because of one advertiser’s URL, which had been abused. We now host all of our own links, which should eliminate the problem.

We received only 3 or 4 readers’ comments of concern about accepting ads, so we’ll keep doing so. But the questions are legitimate and worth addressing. Reader Kim Vong writes:

• “This creates an issue which you will have to address somehow. We have all learned from the Internet, if not from everyday human interaction, to Trust No One. We now have the possibility of ‘Rate our product at the top or we will pull our ads,’ so you can ‘compromise’ by offering to make them #2. You could be, and probably are, 100% honest, but now there’s this doubt lurking. …

  “Your newsletter is great! It’s only the product recommendations that I will no longer bother with.”

That’s an easy one to answer. We have no test lab and we generally don’t rate products, so there are no “ratings” to compromise. In our Windows Gizmos and Index of Reviews sections, which we’ve moved from the newsletter to our Web site, we merely summarize the ratings of well-known test labs that we respect, such as those of PC Magazine, CNET, and PC World. We link directly to the results of the reviewers. Anyone who doubts our summaries can check the raw scores, which there’s no way for us to fake.

In rare cases, such as our Jan. 26, 2006, test of antispam appliances, we do take matters into our own hands. But we published this test only because no major magazine had yet discovered the inexpensive yet high-performing alternatives we’d found. We can afford to underwrite such tests only very infrequently.

We’ll continue to print the Security Baseline in each issue of the newsletter, so everyone knows which products are the minimum needed to protect their Windows PCs. Our statements of which security products are currently the highest-ranked are determined solely by adding up the Editors’ Choice awards from big-name reviewers like those mentioned above. Advertisers can’t dictate which security products have received the most top ratings — we simply compile the scores.

It’s important to note that all of the test publications we’ve mentioned do accept advertising of their own. Advertisers may have some effect some of the time, but they can’t bias the test results of all of these labs all of the time. We feel that averaging these testers’ top ratings will always reveal a few strong contenders for your consideration.

Which content is ads and which is editorial?

A separate concern is that there be a clear distinction between editorial matter and advertising. Reader Philip Pearlman writes:

• “If you are going to allow adverts — which is an undesirable feature from this reader’s POV — are the products advertised approved by WindowsSecrets? If not, why not?”

We can state this very clearly: If a section is headed “ADS,” the content is provided by an advertiser. If a section has any other heading, it’s edited by me and I stand behind its accuracy.

We’ll never allow advertising for any products or services that are harmful or even just irrelevant to the users of Windows. No tobacco, alcohol, gambling, or adult-oriented products, and (in addition) we make advertisers adhere to Google.com’s rather strict requirements for ad content.

As a journalist, I’ve set up a Chinese Wall so that neither myself nor my contributing editors can be pressured by advertisers. Communications with ad reps are headed up by WindowsSecrets.com’s research director Vickie Stevens, whose integrity shines through.

Thanks for your concerns about the newsletter. We intend to always remain worthy of your trust. We’ve learned from other Web sites that prove you can be well-respected while balancing multiple revenue sources. We’re certain that we can keep our dedication to our writing and our readers intact.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Recovering from the April patches

After our battle scars from the April patches, Microsoft’s May patches were a bit of a breather for consumers.

While the Exchange patch meant homework for administrators, home users at least had a break after the “double patch” bout we had in April. But lest you think everything is rosy on the other side of the operating system, even Apple folks had to deal with their share of patch pain this month.

Apple users, we feel your pain

First off, I have to say that I love the new Apple-versus-PC advertising campaign. You’ve seen them, haven’t you? The Security Awareness blog links to a few of the better ones, but all six can be found at the Apple Web site.

I don’t quite agree that Apple is immune to any disease, as the funny “virus” video implies. Unfortunately, our Apple brothers have had their share of patching issues this month, as have Windows users. Having Adobe’s Version Cue software in the Startup menu, as mentioned in the Apple support forums, appears to be causing issues for many Mac users. As a precaution, ensure that Version Cue is not in your Startup if you install Apple’s latest security bundle.

But don’t just read that and think, “I don’t have a Macintosh, so there’s nothing of interest for me.” Even us Windows folks need to be aware of the QuickTime issues that were recently patched, as reported by ZDNet. To ensure that you only get the QuickTime patch, and not the bundled version that includes iTunes, use Apple’s standalone QuickTime Player link.

MS06-019 (916803)
Exchange patch builds confusion

In early builds of Exchange 2003, any user with permissions set to “Full Mailbox Access” has the ability to “Send As” the owner of the mailbox. Microsoft determined that this level of security permissions wasn’t granular enough. The company thus changed this behavior in later editions of Exchange.

Microsoft indicates in Knowledge Base article 916803 that only Exchange 2003 SP1, and not SP2 or 2000, would be affected by the new “Send As” permissions in the MS06-019 security bulletin, released on May 9. The change in “Send As” behavior is also discussed in KB 895949.

But administrators found that some other builds of Exchange are also affected. This prevents e-mails from being sent to BlackBerrys and possibly other handheld devices. The situation has been reported on at PatchManagement.org, which provides a workaround.

For Small Business Server 2003 boxes that have the monitoring program running and provide the daily 6 a.m. e-mail, you should expect that the box will need a reboot after this patch, despite what Microsoft says.

(916106)
iTunes/Delta hotfix may not auto-reboot

After the application of ISA 2003 SP2, I reported earlier that you may have issues downloading iTunes. On Microsoft Update, KB 916106 will also be offered to machines running ISA Server.

If you do not get prompted for a reboot, Technet’s SBS blog gives the details on how to force this. Or you can just plan on manually rebooting your server after installing the patch.

MS06-016 (911567)
Outlook Express patch revisited

The Outlook Express patch of April is being revisited — by this Patch Watch author, anyway, but not by Microsoft.

Reading KB 917218 is still your only means of resolution to the problems caused by this patch, short of uninstalling it.

If you’re an Outlook Express user, and also have a copy of Microsoft Outlook on your computer, you already suffer through the monthly resetting of the default mail client to Outlook.

It saddens me to see that many people who support Outlook Express are recommending that this patch remain off of your system. It’s patches like this that break patch trust and lead folks like WKimmel to turn off Automatic Updates.

For the record, I’m not ready to recommend that stance. But after April’s batch of updates, I can understand the viewpoint. I think we need to be much more aware of the software we’re installing on our machines.

(900485)
Blue Screen do-it-yourself debugging

I was beta testing the other day and got myself into a situation where a USB driver was causing almost completely predictable blue-screen events. This was the tell-tale blue screen with the unreadable “stop” error codes.

In reading a blog post by Peter Gallagher, I found that I could learn the issues with that build as well as a more recent blue-screen event. While you wouldn’t want to have the Blue Screen of Death on a regular basis, I can say that I’ve followed the guidance enough now to feel comfortable doing a self-analysis when one occurs.

There still has been no formal acknowledgement by Microsoft of the confusion over a blue-screen-prevention patch known as KB 900485. This is an old hotfix, first released last December, that automatically was pushed down to PCs by MS at the end of April. Even folks in the newsgroups have been scratching their heads. No one seems to know why this hotfix should show up in Automatic Updates now, without warning. The confusion is visible in several posts.

I agree that prevention of blue screens (the stated purpose of the obscure hotfix) is indeed a good thing. But it should have been delivered with advance notice, rather than appearing to be force-installed as an accident.

RealVNC needs patching

RealVNC, a tool used by system administrators for remote administration, was recently found to have a security flaw. This is already being seen in exploit attempts, as reported by Incidents.org. RealVNC 4.1.1 and prior versions should be upgraded.

Patch-debugging articles to keep handy

The other day, I set up a new workstation. After checking in with the WSUS server, some of the Office patches failed to install, displaying an error code of 0x80070643.

The specific error I experienced is explained in KB 903772. But another great article I suggest you keep around for troubleshooting update problems is KB 906602.

If that doesn’t help you, and you get really stuck in deploying a patch, after exhausting the free support from MIcrosoft, you can post about your issue in the Microsoft Communities. If you’re a system administrator with a need to stay abreast of this, I’d also recommend the PatchAholic blog as well as keeping the WSUS blog in your RSS reader.

Eolas patch impacts Outlook Web Access

This is for those of you who are using Vista or Windows XP and now have to “click to enable control” to compose an e-mail in Outlook Web Access. On Vista, the condition may in fact prevent you from creating any e-mails at all.

The solution is a patch Microsoft is providing for Exchange Server. But here’s the catch — it’s only offered for servers running Exchange 2003 SP2 and Exchange 2000 SP3.

If you’re affected by this issue, review KB 911829 for information on downloading the patches needed to correct OWA.

WSUS blasts SQL 2005 SP1

I was expecting SQL 2005 SP1 to come out soon on WSUS. But I wasn’t quite expecting a gigantic file to be offered up for syncronization.

Bobbie Harder reports in the WSUS newsgroup that if you have “All Products/Only English” set in your options, you’ll be offered a 6 gig bundle. (Yes, I said gig, it’s that big). This package is a service pack that includes support for all platforms and configurations in a single gulp for your downloading pleasure.

Harder is advising folks not to approve the patch and to hang tight for now.

I don’t like to deploy SQL service packs remotely anyway, and I certainly do not approve the downloading of this service pack on your WSUS servers.

Update: Harder reported on May 24 that the service pack’s metadata was erroneously downloading all language versions, regardless of what language was selected in WSUS. This problem was ostensibly fixed by the evening of May 24, Pacific Time. Nothing in the binary files themselves changed. I’ll write more in my next column about the results.

Next month, Boston and more patches

Next month, during the week of Patch Tuesday, I’ll be in Boston at Microsoft’s TechEd 2006 event. But never fear, I’ll still be testing patches, watching the newsgroups, and chatting with fellow admins about how we handle patch management.

We already anticipate that companies running Siebel applications must either get a patch from Siebel or forego installing an Internet Explorer patch that’s coming. We also know from the Office zero-day issue discussed by Chris Mosby (above) that we’ll have an Office patch, as noted on the MSRC blog.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

WinXP networking — too much, too little

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was… Nawww… It was just Windows XP playing tricks.

This past week, Windows XP networking surprised me twice. The first shocker magically solved a long-standing problem (dare I say a “bug”?) in my office peer-to-peer network. The other event scared the, uh, Dickens out of me.

Wireless networking insecurity

Permit me to start with this cautionary tale.

By now you’ve read (endlessly!) about securing wireless networks. Dr. Seuss could’ve had a field day:

Don’t WEP your WAP out of kilter
Try WPA or a MAC filter
Break the wireless — stake a DMZ
And don’t forget to change SSID.

Boring, eh? You’ve probably read as well that you need to be careful when connecting to “public” networks — Wi-Fi outside of your office, in airports, hotel rooms, and the like. If you’re like me, that stuff probably zings in one ear and out the other.

I use my laptop in the office, and I take it with me on the road. I know that it’s theoretically possible for me to plug into a hotel network to get onto the Internet, only to discover that some creep in another room ran through the files in my Shared Documents folder. Fair enough. I don’t keep anything important in SharedDocs on my laptop anyway. My firewall’s up and running, antivirus is on the job, so nothing scary’s going to jump out and bite me. No big deal.

No big deal. “No big deal,” he says.

XP gives you too much networking

Last week, I popped open my laptop and plugged it into the LAN jack at a hotel in Bangkok. Checked a few news sites, then downloaded my mail. Nothing weird. A few minutes into the download, my antivirus program started having conniption fits: my machine had become infected.

Sheesh. A bunch of infected .exe files: C:Documents and SettingsAll UsersDocumentsSharedDocs.exe, …DocumentsMy MusicSample MusicSample Music.exe, and so on. Pain in the neck. I stepped patiently through the antivirus warning dialogs, clicking to quarantine each suspect file in turn. The dirty deed done, I turned on the TV and waited for the rest of my mail to download.

But then it happened again. AV software hits the roof. Infected files found. I start clicking to quarantine — when it suddenly hit me. The files I was consigning to quarantine had the same names as the earlier dodgy files. Those infected files were coming in over the LAN cable, in real time, and I had let them in. D’OH!

I yanked the cable out of the LAN jack, then went spelunking through Windows for the setting that keeps creeps from putting files in my Shared Docs folder. To find it, click Start, Control Panel, Security Center. At the bottom, click Windows Firewall. When the firewall dialog box comes up, click the Exceptions tab, then remove the check mark next to “File and Printer Sharing.” Click OK, then “X” out of the Security Center. Nice and intuitive.

Of course, I should’ve been smart enough to disable File and Printer Sharing before I connected to the hotel’s network — or any other network, or even if I just have my wireless card turned on (see Chris Mosby’s description in the Jan. 26, 2006, issue of the wireless Achilles heel that’s built into the 802.11 specification). I simply don’t think of keeping the creeps out when I should.

When I got back to the office, of course, I had to follow the preceding steps in reverse to allow other computers to get into my laptop’s Shared Docs folder. It might be worthwhile jotting down those steps (or printing this page) and sticking the hardcopy in your laptop’s bag. Never know when you might need ’em.

XP gives you too little networking

I’ve had an enormously irritating connection problem on my office network (a workgroup peer-to-peer Windows network) for the past year or so. There’s one machine on the network, called Fido, that refuses to play with the others. When I work on Fido, I can get “out” to anything on the network: shared folders, printers, drives all work fine. But when the table’s turned — when I try to get into Fido from any other machine on the network — I can’t.

Other PCs “see” Fido, no problem: if I list all the computers in the network, Fido appears on the list, sits up and barks. If I try to double-click on Fido, though, I get a long pause, followed by a message telling me that Fido is unavailable. If that sounds like a problem you’ve encountered, read on. There’s a solution.

With a bit of trial and error, I found that I could get into specific shared folders, printers, drives and the like, but I had to refer to them directly: if I tried to open Fidoshareddocs from another network computer, Windows took a century, but sooner or later, the shared folder opened. I could add a network printer called FidoHPPSC, if I typed in the name and didn’t try to convince Windows to “find” it. With a workaround in hand, I gave up trying to find a solution. Fido’s lack of communication just festered — another one of those inexplicable Windows problems that you just learn to live with.

Then, last week, I bumped into an article in Fred Langa’s Langa List newsletter (which, it should be noted, I read religiously and recommend wholeheartedly). Fred published a brief follow-up from a reader named Manny that described a problem which seemed only tangentially related to the one I’d been experiencing.

Manny’s advice: In the Registry, under HKLMSYSTEMCurrentControlSetControlLsa, change the value of restrictanonymous to 0 instead of 1 or 2. Don’t change restrictanonymoussam. This is documented in KB article 246261.

I tried it, and Fido sat up, barked and started wagging his workgroup tail.

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All—In—One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).

The exploit market is heating up

There’s more evidence to suggest that vulnerabilities are going back underground. Or at least, going to the highest bidder.

I believe it’s fortunate that there are a few above-board high bidders that are snapping up these exploits and keeping them off the market. Otherwise, I think things could be much worse.

Commercial exploit trading continues its growth

I’ve touched on the concept of vulnerability economics a number of times. I went into detail in my Mar. 2 column. The summary is that some vulnerability researchers are selling their newfound exploit information to third parties rather than giving it to the affected software vendor or doing a public release.

We know this is growing, both explicitly and implicitly. Companies like iDefense and 3Com (via their TippingPoint division) buy exploits, work with vendors, and eventually release advisories when patches are available. Those are the “explicit” cases.

The implicit cases occur when a vulnerability is first discovered in the wild, and a commercial motive is clear. It could be spyware distribution or, sometimes, industrial espionage.

As discussed in Chris Mosby’s column in this issue (above), there’s a Microsoft Word zero-day exploit making the rounds. The first public report I am aware of was from the SANS Internet Storm Center. (If you like hearing about the latest rumors and attacks, the ISC is an excellent resource.) Microsoft has acknowledged the vulnerability as well.

In the ISC’s report, it stresses that the “group originating these attacks does so in a very targeted fashion” (emphasis in the original). Microsoft’s MSRC blog entry also has the phrase “this is a *very* limited attack,” with boldface and stars.

For me, this attack has very interesting implications, and not necessarily the ones the ISC and MSRC seem to have intended.

First off, I agree that the Word attack is not in wide use — yet. Still, I take note of the fact that this is a very simple “open-the-document-and-get-owned” vulnerability. This type of vulnerability has a lot of value. Maybe it’s not as sexy as a drive-by Web browser exploit. But it’s still very serviceable.

It’s notable that this Word exploit was used in a very targeted way. Does the attacker have a collection of similar exploits? Did he find it himself, or did he buy it on the open market?

The most pressing question, though, is this: Now that a high-value Word flaw has been “outed,” and will presumably be patched soon, is there any reason for the attacker not to start using it as widely as possible?

I hope you remember how to block .doc and .rtf files at the e-mail filters from the Word macro-virus days. I’m also happy to see that a number of antivirus companies now report that they detect the threat. So make sure those AV updates are in place.

iDefense issues a new challenge

Something else I’d mentioned in my Mar. 2 column was iDefense’s “quarterly challenge.” They were offering to pay $10,000 USD for any vulnerability that resulted in a Microsoft bulletin rated “critical.”

I haven’t seen any results from that challenge yet. It’s possible, however, that Microsoft just hasn’t released the relevant patches yet. Hence, iDefense hasn’t released any advisories, either.

Meanwhile, iDefense has announced its Second Quarterly Challenge. This time, its regarding database software: Oracle, Microsoft, IBM, MySQL, and PostgreSQL.

Once again, I see that the top prize requires a vendor bulletin with the highest severity rating. I wonder, would you even go after the Oracle ones? It might take you three or four years to get paid.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Word zero-day exploit causes concern

It used to be that the term “zero-day” exploit was just a concept that companies like Microsoft treated as a myth. The idea of a vulnerability being found in one of their products and the exploit for that vulnerability coming out at the same time is something that no one wanted to believe could happen.

Now, however, zero-day exploits do happen — but only sporadically. When these exploits do surface, it’s a cause for concern for everyone. There is usually no defense against them until they can be understood and patches or workarounds can be made available. Such is the case with the Word zero-day vulnerability that was discovered recently.

Exploit used to target specific company

The Internet Storm Center (ISC) reported recently that e-mails containing a Microsoft Word attachment were sent to certain people at an undisclosed company. When opened, the doc file exploited a previously unknown vulnerability in Word. This exploit acted as a “dropper.” It extracted a Trojan when the infected document was opened.

After that, the exploit overwrote the infected Word document with a non-infected copy, caused Word to crash, and offered to attempt to re-open the file. If the user agreed, the newly created, but “clean” copy of the Word document is opened with no problems.

From there, the Trojan that was dropped on an infected machine could do one or more of the following:

• Use rootkit techniques to hide itself.
• Attempt to check in with a specific Web site
• Wait for commands from the Trojan author, including gathering system information and taking screen shots of the system.

The e-mails bearing this hacked Word document were crafted to appear to be coming from inside of the company. However, an alert user was able to tell that the e-mail did not come from internal sources and alerted the company’s computer security staff.

What’s been done for defense so far

This exploit was initially used only to target specific people at a specific company. But that doesn’t mean Microsoft and the security community haven’t taken the flaw seriously. Microsoft has already indicated in its Security Response Center Blog that it’s working on a patch for this issue that will be released in the next patch cycle (presumably, June 13). It’s also added detections for the exploit and Trojan to the Windows Live Safety Center.

Microsoft is also working with antivirus vendors to get detection out there for the exploit and any malware that exploits the vulnerability. Most antivirus vendors have now added detection for this exploit and, in some cases, two variants of the Trojan. These companies have rated the problem low risk due to the very limited and specific nature of this attack.

How to prepare yourself for next time

The ISC has some proactive steps that your company can take to protect itself from something like this happening in the future:

Note that this is not a temporary situation that will blow over soon. Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let’s think beyond the next couple of days on how to defend your network.

• User education is of course key, but likely insufficient. Attacks like this will use very plausible messages. Create some examples to re-emphasize this fact. “What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document.” Teach users to double-check out-of-band. “Do not open the document before calling the customer.”
• Do not trust antivirus software alone. Defending against zero-day attacks is all about defense in depth. Antivirus is likely going to fail you for an exploit like this. Consider a system that quarantines attachments for at least 6-12 hours to allow antivirus signatures to catch up. This may not be acceptable for a lot of organizations, but specifically now, with a known exploit, it may be a reasonable step.
• Limit users’ privileges. The particular sample I reviewed will not run as a nonadministrative user. It will be much easier to clean up after an exploit like that if the user has no administrator rights.
• Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying “honey tokens,” files with interesting names that contain a particular signature your IDS will detect.
• Block outbound traffic. Try to limit the sites that are accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
• Limit data on desktops. Try to teach users to limit data they store “in reach.” This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot, as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help, as they will be accessible to the user opening the Word document.

Again, none of these techniques is perfect. Each one can be circumvented. But the more layers you can wrap your users in, the better. Think what will work well in your organization. Personal firewalls on desktops? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose?

There are also some rather more radical “solutions” possible if you absolutely need to be sure that you can continue working independently of this zero-day (and the inevitable variants to follow soon):

• Consider additional filtering, for example, using software that converts Word’s .doc format to one that cannot carry the virus, e.g., .rtf. (Rich Text Format files have most of the formatting features of .doc files but cannot contain macros. Word will, however, run macros in .doc files that have been renamed to have an .rtf extension.) Consider using the free wvWare library. In this case, you will lose formatting — but that might be an acceptable trade-off to secure e-mail that’s coming from outside your organization.
• Consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

Please keep in mind that this Word zero-day exploit is not currently widespread, but nothing is keeping it from being that way. The more prepared you are until this is fixed by Microsoft, the safer you will be.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.