XP, IE, and OE patches cause their own problems

XP, IE, and OE patches cause their own problems

By Brian Livingston

It hasn’t been Microsoft’s best month for releasing patches.

After it was widely reported that installing a recent security patch can slow Windows XP to a crawl, the Redmond company had to admit the problem and scale back its recommendation that all XP users apply the update.

Now there are reports that Microsoft’s two latest patches, which correct security problems in Internet Explorer 5 and 6 and Outlook Express 6, also cause difficulties of their own.

• MS03-013 for Windows NT 4, 2000, and XP
  This patch, first released on April 16, prevents someone from logging on from the keyboard or a terminal session and running code to gain administrator privileges. Microsoft has downgraded this threat to “important” rather than “critical.”

  Microsoft confirmed on April 25 in its Knowledge Base article 819634 that installing the patch on XP Service Pack 1 can seriously slow a PC, especially if antivirus programs are configured to scan files as they are opened. Testers report delays of more than 10 seconds in launching apps in this situation. The company currently recommends that you either uninstall the patch or disable real-time antivirus scanning, using periodic disk scans instead.

  At this writing, the company says an improved patch will be released at an unknown future date. But other sources say a working patch is already available, although you have to make a special request for it through Microsoft’s Product Support Services.

  A word of warning, however, has been sounded by BugTraq’s Russ Cooper. He advises users not to install MS03-013 on Windows 2000 until Microsoft explains the purpose of 10 modified files. One is Ntdll.dll, which caused problems as part of the MS03-007 patch. More info

• MS03-014 for Internet Explorer 5 and 6 and Outlook Express 5.5 and 6
  This update, issued on April 23, corrects a security problem in the way IE and OE handle files stored on the Web. If a user visits a malicious Web page, the apps can be made to render a plain-text file as though it were HTML. If the text file contains an executable script, the script could damage the PC – because a text file is a “safe file type” that runs with Local Computer Zone privileges. Microsoft rates this flaw “critical.”

  MS03-014 is being described as a patch for Outlook Express 5.5 and 6. But it’s important even for those who don’t use OE but use Internet Explorer 5 and 6. That’s because IE uses the underlying code of OE to render text files as if they were HTML files. Installing the patch prevents IE and OE from converting any text files other than .mht or .mhtml file types into the special form that renders as HTML. More info

  The problem? In an article that’s not yet posted on the Web, issue 3.15 of the Woody’s Windows XP newsletter reports that installing the MS03-014 patch completely disables IE and OE’s ability to access the Internet if the operating system is XP and Norton Internet Security 2002 is installed. This is true whether or not NIS is disabled before running the update. The e-zine also says the patch prevents OE 6 from remembering the most-recent location where an attachment was saved.

• MS03-015 for Internet Explorer 5 and 6
  This patch, released along with MS03-014 on April 23, is a “cumulative update” that combines all known fixes for Internet Explorer 5.01, 5.5, and 6. The update also corrects four new vulnerabilities, three of which are threats that Redmond rates as “critical.”

  The most serious vulnerability allows a Web site to run malicious code on a user’s PC. The rogue program would enjoy all the same privileges as the locally logged-in user. More info

  Woody’s notes that Internet access on XP is disabled if MS03-15 is installed while Norton Internet Security 2002 is running. But this problem can be avoided by simply turning off virus checking before installing the patch (a good step when installing almost any app).

Does this mean you shouldn’t install the latest Microsoft updates? Not at all. But if you use Norton Internet Security or any other antivirus programs, you should definitely test MS03-014 and MS03-015 before rolling these patches out to production machines. You may also want to delay MS03-013 on Windows 2000 and XP machines if you aren’t directly affected by the threat it averts. (For example, if your machines are in locked rooms where only trusted admins have access.) Proceeding with caution is a normal reaction to any new Microsoft upgrade.

Amid this hue and cry, some lowlife is sending out e-mail messages that appear to be from Microsoft, announcing a very desirable “cumulative patch.” I don’t know whether these bogus messages are in response to the XP/IE/OE mess, but the messages carry an attachment called Q178830.exe, which appears to be a virus (although it’s not yet reported in major antivirus databases).

I’m reproducing the fake message below, not because you should follow its advice, but to show how chillingly similar to a real Microsoft message it seems:

From: Microsoft Internet Technical Services [mailto:sdjsibp887470@WRrTUXG.net]
Sent: Monday, May 05, 2003 10:01 AM
To: MS Customer

MS Customer

this is the latest version of security update, the “May 2003, Cumulative Patch” update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches.

System requirements	Win 9x/Me/2000/NT/XP
This update applies to	Microsoft Internet Explorer, version 4.01 and later Microsoft Outlook, version 8.00 and later Microsoft Outlook Express, version 4.01 and later
Recommendation	Customers should install the patch at the earliest opportunity.
How to install	Run attached file. Click Yes on displayed dialog box.
How to use	You don’t need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact us.

Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

Thank you for using Microsoft products.

With friendly greetings,
Microsoft Internet Technical Services

---

©2003 Microsoft Corporation. All rights reserved. The names of the actual companies and products mentioned herein may be the trademarks of their respective owners. Important: the above is not a genuine Microsoft message and should not be acted upon. Microsoft is emphatic that it never sends out patches as e-mail attachments. Unfortunately, the bogus message is such a good imitation (except for the weird “mailto” address in the From line) that many end users would run the attached executable file without a second thought.

To send me more information about any of this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

I’m sending reader David S. Calef a certificate good for a book, CD, or DVD of his choice for his help on this subject.

XP, IE, and OE bulletins top the headlines

The big news in Microsoft tech bulletins this month was the XP, Internet Explorer, and Outlook Express patches that make up my top story at the beginning of this issue. But there are plenty of other alerts to deal with in the section below.

• Tighter security alters IE convenience in Windows Server 2003
  In most versions of Windows, Internet Explorer has different security settings for Web sites that fall into zones such as “Trusted,” “Internet,” and “Restricted.” In Server 2003, however, IE by default puts all general Internet sites into the same security zone as Restricted sites (in other words, high security).

  This means ActiveX controls, scripts, and downloading of files won’t work at Web sites users visit, unless those sites are manually added to the Trusted zone.

  In addition, users may be repeatedly asked for a username and password when accessing intranet sites that previously asked only once. These sites now need to be manually added to the Local Intranet zone. Web sites in general shouldn’t be added to this zone because IE will then pass user/password strings to them automatically when requested. More info

Other significant bulletins:

• Built-in and add-on video adapters cause Start menu to vanish after XP upgrade
• DOS window can’t be closed by clicking the X button in XP
• Using INF to add a printer deselects its print processor in XP

Free trial version of WinBoost now supports Windows XP

I was one of the first journalists to discover and write about WinBoost, a clever Windows tweaking utility, back in October 1998. I’m pleased to report that the free trial version of WinBoost 4 now is compatible with Windows XP, for those who can’t wait to control all those nonobvious settings. It still works with Windows 9x/Me/2000, too. WinBoost helps you optimize your CD, DVD, and Internet speeds, as well as giving you ways to configure or hide many basic Windows features, such as the Run menu. If you like the free trial, the paid version is only $30 and adds to the basic software a library of hundreds of little-known tips. More info

Another powerful add-on enhances dialog boxes
After last issue’s tip about EditHistory – which adds recently-accessed files to Windows’ dialog boxes – reader Mike Tashker sent in his endorsement of another utility. “The best tool (shareware) for file dialog boxes is File-Ex,” he writes. “Lotsa power, including history, favorites (both files and directories), and dialog box enhancements.” Originally for Win 9x, the newest version supports Win NT/2K/XP as well. There’s a 30-day trial version and a $19.95 registered version. More info

The Eater of Meaning can make your Web site 100% funnier

Now here’s a Web service that proves the adage, “Content is King!” The Eater of Meaning works on practically any Web site, and the results are almost certain to be an improvement.

The program, developed by Leonard Richardson of Crummy.com, uses a variety of filters to rewrite the words of any site you specify. I tried it by typing in the home page of my friends at News.com. Their boring old headline, “Microsoft, Best Buy accused of scam” was turned into the much more entertaining “Microport, Besotter Buy accounting of scampers.”

Point this thing at your company’s home page and watch your CEO burst into laughter! Visit the Eater of Meaning