Windows Genuine Advantage is still genuinely bad

Windows Genuine Advantage is still genuinely bad

By Ryan Russell

Microsoft’s system for validating Windows before users can download most updates continues to be a problem for legitimate customers and for Internet security as a whole.

Despite claims of offering better security, Windows Genuine Advantage (WGA) serves only Microsoft’s marketing interests — but you can eliminate the need for WGA if you know the trick.

Microsoft has long been considered a marketing bully, but with WGA the company has taken its lack of consideration for its customers to a new low.

Windows Secrets has been tracking the WGA story for years. Editorial director Brian Livingston aptly labeled an earlier version of WGA as “Microsoft spyware” in a June 15, 2006, Top Story.

More recently, Brian remarked in a March 30, 2009, news update that PCs failing WGA validation don’t automatically receive all available patches from Microsoft. That spawned a critique from a Microsoft spokeswoman which was printed, along with Brian’s response, in technical editor Dennis O’Reilly’s Known Issues column on April 2. (There’s also an Office Genuine Advantage program, which you hear less about but has the same problems as WGA.)

We all want Windows systems throughout the world to be patched for security problems as soon as fixes are released. As a result of the fuss raised by the articles mentioned above, I decided to take another look at WGA.

Here’s what happens if a Windows machine fails WGA validation (or the PC’s owner, based on tales of disabled machines, is too frightened to run WGA):

• Automatic Updates. If the machine is configured with Automatic Updates (AU) enabled, Microsoft installs only those security patches that the company rates as “Critical.” Security patches rated “Important,” “Moderate,” and below are not installed by AU, and no other updates of any kind are installed.
• Windows Update and Microsoft Update. Microsoft’s on-demand patching programs, known as Windows Update (which updates Windows) and Microsoft Update (which updates Windows and other Microsoft products) will refuse to run.
• Manual downloads. Security patches of all levels of severity can be downloaded manually from various Microsoft Web pages and installed individually, if you know where to look.

The third point is the trick to updating a Windows system, regardless of whether it passes WGA validation or you run WGA at all.

Let’s examine how various people and companies are using this method.

How companies patch Windows and avoid WGA

An individual who wants to avoid WGA hassles could visit Microsoft’s current security bulletin page and browse every new patch and advisory. However, it’s unreasonable to expect average Windows users to read each bulletin and decide which patches to install.

A better solution is to use patch-management (PM) software. Every day, dozens of third-party vendors obtain patches from known locations that Microsoft hosts on the Internet. Once the patches are downloaded by the vendors, their software can push the patches out to PCs on a LAN with no worries about WGA. (Disclosure: The company I work for, BigFix Inc., sells a patch-management product that does this for large enterprises.)

Corporations should install a PM solution that resides on a server and pushes patches to individual PCs across a LAN. Network Computing publishes a Rolling Reviews page that analyzes several major PM applications.

Individual PC users have several options to install all security patches — whether rated “Critical,” “Important,” or any other level of severity — without WGA hassles. The following are a few examples:

• The Software Patch. You can do without Automatic Updates and Windows Update/Microsoft Update, which can be hamstrung by WGA, by using The Software Patch. This is a free Web service that WS contributing editor Scott Dunn reviewed — along with a handful of other alternative update services — in his Oct. 4, 2007, Top Story.
• Online Software Inspector. My Dec. 18, 2008, column described Secunia.com’s Online Software Inspector (OSI). This free service scans your PC on demand. OSI then enumerates the security patches that are needed by your copy of Windows, in addition to patches for dozens of applications from Microsoft and other software vendors.
• Personal Software Inspector. My previous column on OSI also described Secunia’s Personal Software Inspector (PSI). This is a free download that you install and run on your PC. At present, its primary purpose is to inform you of security updates for hundreds of applications, and you should run PSI in conjunction with Windows Update or Microsoft Update.

It’s beyond the scope of today’s article to rate the pros and cons of every patching alternative. I hope to bring you a new review of the latest products and services in the coming weeks.

The third-party services mentioned above are compelled by Microsoft to get Windows patches directly from Microsoft’s own servers. That means these services can only install security patches and other updates whose files will install without requiring WGA validation.

Fortunately, almost all Windows security patches (of all severity levels) and many other Microsoft updates install fine — regardless of WGA — if you download the files directly or via a third-party service. Microsoft currently lists on a Genuine Software page a few of its apps that do require WGA, such as Windows Defender, Windows Media Player, and Calculator Plus.

In fairness, Microsoft should get credit for posting all of its security patches (of all levels of severity) on publicly available URLs. At least this policy does provide the files to patch-management professionals who know these locations. By contrast, such firms as Red Hat, Sun, and IBM require contracts and log-in credentials before you can obtain some of these companies’ Linux, Solaris, and AIX patches, respectively.

The big question is this: why would Microsoft cripple its consumer patching tools — Windows Update and Microsoft Update — by disabling them if a PC doesn’t pass WGA validation? The only logical reason I can think of is because Microsoft wants to push WGA, and denying updates to users is the best stick the company can come up with. I believe this decision is a huge mistake.

Windows Update is a crucial service that must remain free from chicanery, because Windows Update is the default program for on-demand security checkups. In computing, defaults are everything. Windows Update is installed and available in every recent copy of Windows on the planet, whether those machines are correctly licensed or not.

Many people disable Automatic Updates because it’s intrusive and has been used in the past to install WGA and other nonsecurity updates. If users can’t run Windows Update as an alternative to AU, there’s a massive problem on the Internet. The battle against malware is already bad enough, and we don’t need anything to make the problem worse. When millions of computers become infected, the attacks from these machines become a problem for you, the paying customer of Microsoft.

DRM exists at the expense of paying customers

Call it what you will: WGA, Digital Rights Management (DRM), anti-piracy, or copy protection. It abuses the hospitality of paying customers in an attempt to thwart those who don’t want to pay. I don’t object one bit to paying Microsoft for the software I use. I do object to being forced to help a company in futile efforts to combat copyright violators.

Copy-protection harms legitimate users who are inconvenienced at best and forced to cope with nonfunctional software at worst. The bad guys, by contrast, aren’t harmed much at all. Pirate operations have the money and time to defeat every copy-protection mechanism. Once pirates have broken a DRM scheme, the unlocked software might be salable for months without the pirates’ needing to deal with the protection any further.

Do you dislike having to insert a CD into a drive to update Microsoft Office or play a game? Guess what: users of the pirated versions of those programs generally don’t have to deal with that. Only the legitimate buyers are inconvenienced.

I’ve been analyzing flavors of copy protection since the early 1980s. During those nearly 30 years, it’s always been the same. Copy protection primarily hurts legitimate users while giving bad guys merely a short period of entertainment.

I do recognize the gray area between the two extremes. There are many users who might violate a software publisher’s copyright if it were convenient to do so. But I still believe that the punishment imposed on a software company’s best customers is not worth the tiny impact on the real pirates.

I’m not saying Microsoft has to give away its products for free. I’m saying that a copyright owner’s battle against piracy is not my problem, so please quit making my life hard in a vain attempt to resolve your legal issues.

Microsoft’s lack of support for its best users, in the name of protecting intellectual property, sometimes reaches absurd levels. A recent example of this is Microsoft’s refusal to support its software on virtual machines unless the VM software is Microsoft’s own. (You can read the details about this in my blog entry posted April 2.)

Microsoft has gotten really aggressive about license protection. The pendulum needs to swing back in the direction of making things easier for the company’s customers.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Call to learn whether your Dell or HP is covered

By Dennis O’Reilly

You can’t rely on the information you find on some vendor Web sites to determine whether your overheating notebook qualifies for a free repair or replacement.

In a case recently publicized by Windows Secrets, you would need to contact the company’s tech-support staff directly to find out whether your system is covered by a special extended warranty.

One of the more-disturbing trends in the computer industry is the silent recall. In such cases, a vendor replaces faulty equipment only after the customer complains about it, rather than actively contacting buyers of the defective products.

This appears to be the approach HP and Dell are taking with notebook computers they sold — computers that use a defective Nvidia GPU (graphics processing unit) that overheats, burning out laptops and tablets.

WS contributing editor Michael Lasky described the problem with these notebooks in a Top Story in last week’s newsletter. He included links to a Dell forum thread and an HP forum thread, both of which describe the problem and provide more information.

However, several readers asked us for specific pages on the vendors’ sites, to determine whether a particular notebook is affected. Unfortunately, the problem seems to affect even more Dell and HP models than are listed by the vendors. Trevor Valentine found out first-hand how difficult it is to find this information:

• “Interesting article (especially to an owner of a possibly defective Compaq laptop). Curious to see if my wife’s laptop was affected, I went in search of the defective lists that Mr. Lasky mentioned. This proved a tad tedious, as both Dell and HP seem to have done their best to bury any mention of a defective GPU.

  “Here are the lists that I was able to find. I hope that other readers will find these helpful. Interestingly, the second Dell link has this posted:

  Dell will offer a 12-month limited warranty enhancement specific to this issue. For all customers worldwide, we plan to add 12 months of coverage for this issue to the existing limited warranty up to 60 months from the date of purchase for the following systems …

  “HP lists all affected models along with instructions on possible ‘resolutions.’ The only lists I could find from Dell were listed on one of the corporate blogs.”

HP’s site offers document c01087277 with a list of Pavilion and Presario models the company says are affected. Dell hosts a forum post by “chief blogger” Lionel Menchaca that lists 10 Inspiron, Latitude, Precision, Vostro, and XPS models. A later Dell post lists 15 models.

I have personal experience that the HP list is incomplete, because an HP tablet that I owned — a Pavilion TX1100, which used the faulty Nvidia chip and got fried after only 18 months of use — is not included.

Tom Rupsis reminds us of another way to get a replacement for a defective product whose warranty recently expired:

• “Michael Lasky’s ‘Dell and HP balk at replacing bad Nvidia chip’ article suggested purchasing an extended-service warranty to cover expenses related to the overheating motherboards. As an alternative, look into the features provided with the credit card that may have been used to purchase the laptop.

  “Many cards provide extended warranties at no additional cost to the consumer. I made use of this benefit when an HP laptop keyboard failed after 20 months. My MasterCard World card covered the cost of replacing the keyboard, even though HP’s one-year warranty had expired.”

Several readers pointed out that extended warranties for electronics equipment are often a waste of money, as a Consumer Reports article from November 2007 describes. However, the extended warranties offered by most major credit-card companies are usually free. This may be a good reason for you to charge your next computer purchase.

Tech support likes Malwarebytes’ antispyware

Recommendations continue to pour in from readers in response to Ryan Russell’s March 26 Top Story on programs that should be considered for the WS Security Baseline. A letter from an anonymous Microsoft tech-support staffer caught our attention:

• “I read your newsletter and was disappointed by the offered antispyware listed. Spybot Search & Destroy was good back in the day, and so was Ad-Aware, but they aren’t what they used to be. They’re no longer effective, as the infection definition isn’t being worked on as passionately as they had been.

  “I work for Microsoft technical support, and 90% of the calls are due to spyware infections, so we ask customers to download Malwarebytes’ Anti-Malware. They have a totally free version. It’s the one we use for clients. It’s so effective, I feel confident the PC you’re using to read this has infections. Are you surprised? Even if it’s just minor adware, it’s an infection still.

  “If it weren’t for Malwarebytes.org, I’d be spending more time per call and asking customers to reload Windows more often, because finding one infection could take forever. … The application is painless to install, isn’t too bulky, and requires no reboot after install. The application is a winner all around.

  “The Internet is full of scams. It’s shocking to see it day in and day out.”

Ryan’s story never discussed Ad-Aware and mentioned Spybot Search & Destroy only because readers nominated it as one of the few options that will run on creaky old Windows 95 systems. But it’s good to be reminded that some programs that were once highly rated are no longer up to par.

The free version of Anti-Malware, the program the MS staffer recommends, allows you to perform manual scans for spyware on your system. For U.S. $24.95, you can unlock the program’s real-time protection, scheduled scanning, and scheduled updating. For more info, see Malwarebytes’ download page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

Feeling twitterpated? You're not the only one!

By Katy Abby Unless you’ve been hiding under a rock, you’ve probably been inundated by Twitter, the latest fad to take the social-networking world by storm. The 20-word tweets reflect every nuance of a tweeter’s life, down to the most mundane activity. Celebrities such as Ashton Kutcher and Demi Moore have hundreds of thousands of twits hanging on their every tweet, and the numbers are growing. Who really needs this much information on their friends and idols? Even more to the point, who wants to broadcast their humdrum existence in such explicit and uninteresting detail to the nit-picking masses? Take a look at this hilarious animated short that explains “The Twouble with Twitters.” Just sit back, relax, and don’t make a peep! Play the video

Solving 'me first' software startup conflicts

By Fred Langa When two or more programs in your list of autostart apps insist on being the first, they can bring the entire startup process to its knees. There are two ways to change the order in which your startup services and software load: one that’s easy but crude, and another that’s difficult but precise.

Playing referee when apps fight to load first

Hal Allert has several essential programs that need to start very early in the boot process. As a result, they end up stepping on each other’s toes:

• “When my laptop boots up, I usually get the Red Shield from Windows Alert telling me that my Kaspersky Anti-Virus is turned off and I’m not protected. After closing that warning, Kaspersky AV starts up. It tries to get updates from the Web, but my Internet connection hasn’t completed yet.

  “Everything else is loading when it wants to, so other warnings are popping up. When my computer is finally connected to the Internet, things calm down. It would seem to be easier all around if the boot order were reversed. Is there a way for me to rearrange the order in which the programs are starting up?”

There sure is, Hal. In fact, there are two ways. One is easy and effective but ungraceful: you use a software tool that interrupts the normal startup process and inserts a user-configurable delay before each startup program runs. For example, you could tell your system to start loading your AV tool (or whatever) immediately and to postpone loading anything else for several seconds.

Because this reduces the multitasking load on your system, the AV tool should start faster than it would otherwise. You can set similar delays before each startup item. By carefully choosing startup delays, you can ensure that lower-priority programs on your autostart list don’t even attempt to run until all your top-priority software is up and stable.

Perhaps the best-known tool of this type is Startup Delayer (more info). It’s free and purposely built for this one task.

Some other system utilities, such as BillP Studios’ free WinPatrol (more info), include startup-delay capabilities along with other features.

But not all startup services and software can be controlled in this way. Also, you have to admit that cramming a delay loop into your startup process is kind of a brute-force solution. The more sophisticated way to do this is to wade into the Registry and manually alter the settings that control which startup services and software run and when they run. This gives you much more control over your startups, but I’m not going to try to fool you: this is a major pain to implement.

For example, the load order for many startup services is controlled by the GroupOrderList Control Entries values in this section of the Registry:

HKLM  SYSTEM  CurrentControlSet  Services

Not all services are listed here, however. And not all startup software runs as a service, so you’ll also have to look at and potentially modify startup items found in the following location:

HKLM  SYSTEM  CurrentControlSet  Control  Session Manager  BootExecute

And you’ll need to check multiple Registry sections with the following entries: RunOnce, Run, RunOnceEx, and RunEx. Lastly, you need to look at the files in your Startup folder; items listed there run at the very end of the startup process.

If this level of granular control appeals to you, grab a free copy of Microsoft’s Autoruns for Windows. This professional-level diagnostic tool shows you exactly what’s going on during Windows’ startup. The level of detail is miles ahead of what you’ll find in the System Configuration utility (msconfig.exe) and other tools built into Windows. Download and usage information for Autoruns is provided in a Microsoft TechNet article by Mark Russinovich and Bryce Cogswell.

Figure 1. The free Autoruns utility provides professional-level detail about everything that goes on during Windows’ startup.

Once you see which programs are autostarting on your system, refer to Microsoft Knowledge Base article 102987. Scroll to the section called GroupOrderList Control Entries and begin your manual tweaks. If your exploration takes you to other parts of the Registry, the Knowledge Base article can help there as well.

Of course, after seeing what’s involved in the fine-control manual process, you couldn’t be blamed at all if instead you just went with a program such as Startup Delayer. It’s not elegant, but it’s much, much simpler.

When your right-click ‘Send To’ options vanish

The Send To options on Dick Grack’s context (right-click) menu changed, and he’d like to restore them:

• “On my system (XP Pro SP3), I have two DVD drives. Some time ago, the Send To command, for some reason I can’t figure out, stopped seeing them, although it still sees drives A, B, Documents, etc.

  “I can still send/copy data to and from [the DVD drives] with programs like Veritas’ Record Now and Simple Back Up, so I know the drives themselves are functional and XP can ‘talk’ to them. Send To appears to be the only problem.”

Recreating a lost Send To command can be as simple as dropping a shortcut into the Send To folder. Microsoft Knowledge Base article 310270 tells you how to do this in XP.

Although you asked about XP, it’s worth noting that Vista’s Send To is almost as simple to modify. For some inexplicable reason, Microsoft doesn’t offer instructions for this, but a HowToGeek.com article called “Customize the Windows Vista Send To Menu” shows you just how easy it is.

With luck, you’ll have your missing Send To options restored in a matter of minutes!

Disk bloat and the ‘overloaded camel’ syndrome

Michael Lichtenstein feels he’s fighting a losing battle against disk clutter and Registry bloat:

• “I have taken your advice regarding the best computer backup policy, i.e., using imaging software. Over the years, I’ve been using various versions of Norton Ghost successfully. I’m presently running Ghost 14. I’ve used the recovery tool on a few occasions to rebuild my C: drive (Windows) and, of course, saved hundreds of hours as compared to reformatting from scratch.

  “I’m becoming aware of a shortcoming of this policy. Over time, Windows and the Registry collect a fair amount of baggage which, taken individually, we can live with but cumulatively can cause problems. Over the last few years, I’m afraid that my Ghost images have been collecting this negative baggage and institutionalizing minor mistakes and leftover entries. At some point, a single straw can and does break the camel’s back.

  “So when, for some reason, Windows is acting very strangely, I can and do recover an older image that apparently fixes the problem; yet very soon thereafter, Windows (or some program) is acting strangely once again.

  “Of course, the ultimate answer is to reformat and reinstall everything, a decision which I’m very close to making. Do you have an idea or suggestions on how, after reformatting, we can avoid collecting these minor problems that after a few years add up to an ‘overloaded camel?'”

There are several things you can do to help preserve any Windows setup and help keep it running like new.

For example, my March 13, 2008, column, “Using Windows’ hidden Disk Cleanup options,” and my March 27, 2008, follow-up article, “Get better results deep-cleaning Windows drives,” can help you keep your setup and temp areas from becoming cluttered.

Any of several excellent Registry cleaners can help you strip out obsolete or otherwise bogus entries in your Registry. Piriform’s CCleaner (more info) is free, fast, and extremely popular. Personally, I like Macecraft’s jv16 PowerTools (more info) for its additional flexibility, though it costs U.S. $30 after a one-month free trial. (In practice, I actually use both tools; I find that using one after the other can do more than either does on its own.)

With your setup in general and your Registry in particular kept lean and clean, your Windows installations should go a long, long time between refreshes or rebuilds.

A reader tips us off to a great uninstall tool

One of the best things about Windows Secrets readers is that they’re willing to share what they know. That makes this newsletter a vital, living, two-way thing rather than a one-way pipeline.

For example, after I wrote in my March 26 column about the extreme steps you sometimes have to take to remove left-behind traces of supposedly uninstalled software, many readers sent in suggestions such as this one from Jack Campbell:

• “I used to have the same problem as Jim Denneny’s: cryptic bits left behind in the Registry after uninstalling. Sometimes, hundreds of bits required extended Registry surfing to remove. Many times, these entries bore no resemblance to the original program.

  “I finally found a little program that solved my problem. Revo Uninstaller not only runs Windows’ uninstaller but then searches the Registry for those cryptic entries and safely removes them semiautomatically. I’ve been using it for about a year with never a problem. Thought your readers would benefit.”

To learn more about Revo Uninstaller and find a download link, visit the vendor’s site. You’ll find descriptions of other such utilities in the Windows Secrets article, “Best free uninstallers.”

Thank you, Jack, and everyone else who wrote in!

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

There'll be no easy upgrade from XP to Windows 7

By Mark Joseph Edwards XP users who plan to upgrade directly to Windows 7 will have to completely erase their existing installations to do so. The Windows 7 installer may help you move your XP files and settings, but you’ll still have to reinstall all your applications.

Mainstream support for XP ends with a whimper

Windows XP is officially an orphan. Two days ago — April 14 — Microsoft stopped supporting XP for free. The exception is certain security patches, which will continue to be released until April 8, 2014, according to a schedule posted on Microsoft’s Help and Support site. Other than those patches, the only way to get any other type of XP fix now is by purchasing extended-support contracts, although they will also expire on April 8, 2014.

XP has been on the market since October 25, 2001, so there aren’t likely to be many new problems that will be fixed in the OS, apart from security holes. If you use XP, of course, you’ll probably want to continue to receive security patches.

For example, a devious person on a LAN can exploit a flaw in XP’s Internet Connection Sharing feature, according to an alert by eEye Digital Security. The firm first reported this in October 2006 and says Microsoft still hasn’t patched it in the intervening years. The problem is rather significant in that an untrustworthy user could disable the Windows Firewall on a host machine, possibly leaving it open to other attacks.

If you plan to migrate your XP system to Windows 7, you may be in for a bit of a shock. You’ll have to do a clean install of Windows 7, because Microsoft won’t offer a direct upgrade path from XP.

Here’s an excerpt from an April 7 post on the Engineering Windows 7 blog:

• “We realized at the start of this project that the upgrade from XP would not be an experience we think would yield the best results. There are simply too many changes in how PCs have been configured (applets, hardware support, driver model, etc.) that having all of that support carry forth to Windows 7 would not be nearly as high quality as a clean install.

  “This is something many of you know and already practice. We do provide support for moving files and settings and will prompt at setup time, but applications will need to be reinstalled. We know that for a set of customers, this tradeoff seems less than perfect, but we think the upfront time is well worth it.”

Microsoft’s XP-to-Win7 upgrade policy doesn’t make sense to me. The question in my mind is, if I can upgrade from XP to Vista and then to Windows 7, why can’t I upgrade to Win7 directly from XP? It seems to me that Microsoft is saying, “You can pay us for Vista, or you can pay a price in time and effort for not buying Vista.”

Holes discovered in Trend Micro security apps

Nikita Tarakanov of Russian-based security company Positive Technologies reports several privilege-escalation vulnerabilities in Trend Micro Internet Security 2008 and 2009, including the Pro versions. The problems stem from improper data validation, which could allow a local user to gain excessive privileges on the system.

As far as I know, there’s no fix available from Trend Micro, even though the problem was initially reported to the company on Feb. 4 and again on Feb. 12. Positive Technologies didn’t receive a response from Trend Micro, and on March 31, a third party disclosed details about the problem, according to Positive Technologies. The security firm then went public with its information about the weakness.

As you might expect, a working exploit of this hole is now circulating, so Trend Micro needs to address the problem quickly. Until patched versions of the programs are released, there’s nothing you can do to protect your systems from the exploit.

Linksys wireless router is open to attacks

Russ McRee of HolisticInfoSec.org reports that Cisco’s Linksys WRT160N wireless router is vulnerable to cross-site request forgery attacks. If you visit a site that contains an exploit targeted at the WRT160N while signed into the device’s management app, the exploit can modify your router settings. (An article by the Open Web Application Security Project describes the mechanics of cross-site request forgery attacks.)

The exploit works like this: you sign into your router’s management app and visit a malicious site before you sign out. The site contains some sort of JavaScript or link that, when triggered, takes action against your router — which works because you’re still signed in and your router is managed via the browser.

According to McRee, the problem definitely exists in hardware version 1 and firmware version 1.02.2. Although Cisco has released newer versions of the router, the company hasn’t said whether the same exploit affects the newer devices. Meanwhile, we have to assume that it does.

Your defense against the vulnerability is to make certain that you don’t visit any Web sites while managing your WRT160N. You need to log out of your router once you finish your management tasks — which you should do, even when there aren’t any known exploits targeting a particular router.

Be sure to check Cisco’s WRT160N software download page and watch for a newer version of the router’s firmware.

Old worm follows in Conficker’s footsteps

All the media hype about Conficker unleashing some dastardly new attack on April 1 turned out to be just that: hype. Since I was pretty sure Conficker would be a non-issue on April 1, it came as no surprise when nothing much happened on that date.

In my opinion, the media would have done well simply to say “Conficker might become active on April 1, so clean your systems before that date.” This is precisely the advice offered by WS editorial director Brian Livingston in his March 30 news update about Conficker.

The fact is, trouble can strike your systems any day, so use some common sense and don’t fall victim to the scaremongers.

That said, at least one other worm is now being hyped as “Conficker’s cousin.” The latest rendition of the Neeris worm — which was first detected back in 2005 — is exploiting the vulnerability patched by the update described in Microsoft security bulletin MS08-067. That’s the same hole Conficker has often exploited to spread itself.

The new Neeris variant can infect new systems by taking advantage of Windows’ AutoRun feature. Once the worm makes it onto your computer — via a malicious download, infected media device, or other source — it sets itself to load every time Windows boots up. Later, if you insert a removable media device, it’ll try to infect that device using the same AutoRun hole that Conficker attempts to leverage.

If a removable device becomes infected and then is inserted into a noninfected system, AutoRun — via the autorun.inf file on the infected removable device — will try to launch the code to infect that system. You’ll find more information about the exploit on Microsoft’s Malware Protection Center.

The infection then sends links over various chat channels and may try to copy itself onto your system’s removable drives. It’s also capable of hacking into SQL servers and spreading via the security hole that’s fixed via MS06-040.

What you need to know — before the media hype gets too thick — is that Neeris is no big deal. If your antivirus software is up-to-date, the worm most likely won’t affect you, because your security software will detect the worm and stop it cold.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Critical patches released for Internet Explorer

By Susan Bradley Two separate updates for all IE versions prevent carpet-bombing attacks that are already targeting the browser. One of the IE patches blocks remote-code execution on XP and Vista PCs that also have Apple’s Safari browser installed.

MS09-014 (963027) and MS09-015 (959426)
Don’t wait to apply these fixes for IE

Six separate vulnerabilities in Internet Explorer versions 5.01 through 7 are addressed in the cumulative security update described in Microsoft security bulletin MS09-014 and Knowledge Base article 963027. The patches prevent attacks that can be launched from malicious Web pages. These days, merely using a search engine can lead you to such sites.

The vulnerability was first discovered in the Windows version of Apple’s Safari browser. The “carpet bombing” attack is described in Microsoft security advisory 953818, which was initially released in May 2008 and was updated this week. To be fully protected, you must also install the patch described in Microsoft security bulletin MS09-015 and KB article 959426.

Even if you use Firefox, Chrome, Opera, Safari, or another third-party browser, it’s still critical that you patch Internet Explorer. Why? Because IE is a key component of Windows and thus can be used as an attack vector.

(This month’s IE patches also fix nonsecurity issues documented in KB article 963027. These problems cause the browser to loop endlessly when you open a page with a refresh tag or to stop responding when you attempt to remove an image.)

Exploits targeting these vulnerabilities are already in circulation, so install these updates right away.

IE 8 upgrade to be offered via Windows Update

As early as next week, you may see Internet Explorer 8 listed on Windows Update. If you use XP (SP2 or higher), IE 8 will be offered as a high-priority update. Vista users will see the browser update listed as an optional patch.

Don’t panic: the new version won’t be mandatory. You’ll have ample opportunity to say no to the download. The Internet Explorer blog indicates that you’ll be able opt out of the IE 8 download. If you’re serious about keeping the new release off your PC, you can download the IE 8 Blocking Tool from a page on Microsoft’s site.

However, as Figure 1 shows, the IE 8 blocking tool is intended primarily for administrators rather than consumers. You need to know the computer’s name and type:

ie80blocker.cmd computername /B

from a command prompt to enable the blocking mechanism.

Figure 1. Microsoft’s Internet Explorer 8 Blocking Tool runs from a command prompt and requires that you know the computer’s name.

For now, I recommend you simply opt out of the IE 8 download. My next column will report the results of my IE 8 tests.

MS09-010 (960477)
A long-overdue fix arrives for WordPad

Last December, Microsoft issued an advisory about attacks targeting WordPad, the word processor built into Windows. Four months later, the update described in security bulletin MS09-010 corrects the problem. Since WordPad also affects Office converter files, you may be offered more than one patch for this matter.

Also, you may see Office 2007 text-converter patches on the list of recommended updates, even though you have only Office 2003 installed on the system. That’s because the Office 2007 conversion tool places this code on your machine. If you use WordPad to view Word 6.0 and Write files, you may need to change a Registry key, as detailed in KB article 960477.

Exploits targeting this hole have been detected in the wild, so patch as soon as you can.

MS09-009 (968557)
Malicious Excel spreadsheets no longer a threat

Just before the U.S. tax deadline of April 15, Microsoft finally patched a security hole that surfaced in February and involves malicious Excel spreadsheets. The update explained in security bulletin MS09-009 and KB article 968557 prevents your system from being controlled by malware authors after you open an infected spreadsheet. (Many taxpayers will tell you that the Internal Revenue Service does a fine job of attacking our pocketbooks without the aid of such malicious spreadsheets.)

You may see several versions of this patch for Excel viewers and Office compatibility packs. If you use a Mac, look for updates for Excel 2004 and 2008.

The general rule still applies: don’t open any files — spreadsheet or otherwise — that you weren’t expecting. Always contact the sender via e-mail or phone to double-check that the person actually sent it.

MS09-011 (961373)
Image files combine to deliver malware

Most PC users recognize the .jpg and .jpeg file extensions as indicators of an image file. The patch described in security bulletin MS09-011 and KB article 961373 prevents an attack that stitches several image files together to create a malicious media file.

These days, bad guys look for all sorts of ways to entice us to download an infected file or visit a malware-laden Web site. Microsoft ranks many of these Web-based patches as lesser risks because they require that you open an infected Web page. Doing so is all too easy, unfortunately.

Social-networking sites such as Twitter and Facebook have recently been the targets of such attacks, so be careful when you follow links on these sites.

MS09-013 (960803)
Web credentials are the target of this attack

Quite frankly, the update described in security bulletin MS09-013 and KB article 960803 left me scratching my head and wishing for an explanation in plain English. The update fixes several problems that allow a Web server’s WinHTTP service to be used maliciously. The most probable threat is from a Web site on which an attacker lures you into entering your credentials, which are then used to attack your system.

So far, no exploits or proofs of concept for this hole have been seen in public. Let’s hope it stays that way.

MS09-012 (959454)
Year-old Web server threat finally patched

Web server administrators need to quickly apply the patch described in security bulletin MS09-012 and KB article 959454, which finally plugs a hole discovered a year ago. At that time, Microsoft released an advisory about the problem after a researcher presented a paper on it at a security conference in Dubai.

In the meantime, there have been several reports of bad guys using this technique to compromise Web servers. The optional security features addressed in this patch are too numerous to cover here, so I urge site administrators to read the bulletin.

The “Token Kidnapping” vulnerability also affects workstations, so the patches described in KB articles 956572 and 952004 apply to those systems. An article on the Microsoft Security Research & Defense site provides more information on the problem.

In the past, Microsoft released updates for Vista and Windows Server 2008 before patching the same holes in XP and other older platforms. That may explain why this fix for all Windows platforms was delayed; it took many hours of testing and third-party verification to ensure that it would work on all Windows versions.

MS09-016 (961759)
Enterprise firewalls get a rare update

If you run any Microsoft enterprise firewall software — which includes ISA Server 2004 and 2006 and the newly christened Threat Management Gateway — there’s a patch waiting for you. It might be easy to miss this one, because the last time Microsoft’s enterprise firewall software needed patching was four years ago.

The security issue examined in security bulletin MS09-016 and KB article 961759 was discovered in internal performance debugging by one of Microsoft’s own product groups.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.