Windows Genuine Advantage KB 905474 re-appears on the Windows Update list

You think Microsoft would’ve had the decency to pull the WGA / KB 905474 Windows Genuine Spyware update by now.

Nope. In fact, it appears that if you tell Windows Update or Microsoft Update to ignore the ignominous “critical security patch”, it won’t go away, at least for some users.

Yesterday I posted part of a message from Mark R, who successfully followed the instructions mentioned in the next article to get rid of Windows Genuine Spyware. Mark then encountered a rather bizarre problem. Every time he goes to Microsoft Update, the only update he’s offered is the Windows Genuine Advantage patch, KB 905474. Says Mark, “The only patch/update available to me at Microsoft Update is the WGA — the only way to even be offered yesterday’s patches [the June Patch Tuesday patches] is to rename those files back.”

It now appears that Mark’s not alone, and others have reported the same problem, in the newsgroups. Microsoft MVP Carey Frisch has this suggestion:

Download and install the Microsoft Genuine Advantage Diagnostic Tool. After running the MGA Diagnostic Tool, click on the “Windows” tab and then click on “Copy to Clipboard”. Next, visit the this website and create a post in the “WGA Validation Problems” forum and paste the results of the WGA Diagnostic Data in a detailed post. A WGA troubleshooting specialist will analyze the data and recommend an appropriate solution.

I tried the Microsoft Genuine Advantage Diagnostic Tool. Interesting critter. You might take a look at what Microsoft is gathering.

Windows Genuine Spyware removal routine works

I have independent confirmation from two different sources, Mark R and Richard F, that the Windows Genuine Spyware, er, Nagware, uh, Advantage removal instructions that I posted a week ago do, in fact work. If you follow the instructions, WGA will stop working, and you won’t get the “This copy of Windows is not genuine / You may be the victim of software counterfeiting” nag any more.

The problem that Mark R was having with WGA/ KB 905474 re-appearing on the Microsoft Update list, to the exclusion of all other patches, appears to be a separate bug in WGA. See the posting above.

12 Patches – keep your powder dry

Microsoft has released the anticipated 12 Patch Tuesday patches. Of course, you’re smart, and you’re waiting until the pioneers wail before installing them, right?

MS06-011 / KB 914798 – Permissive Windows Services DACLs Could Allow Elevation of Privilege – rated Important, but if you’re running WinXP Service Pack 2, you’re already protected. This is a re-issue of the security bulletin Microsoft released three months ago. “This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services.” The KB article is up to version 4.0, which means Microsoft has had lots of problems with the patch.

MS06-021 / KB
916281 – YACPIE, er, Yet Another cumulative patch for Internet Explorer – rated Critical. This patch makes the MS06-013 Eolas lawsuit-based downgrade permanent. In addition, this cumulative patch fixes five code execution security holes, a spoofing hole, and another hole that could lead to information disclosure or spoofing. This replaces the YACPIE cumulative patch in MS06-013, three months ago. Of course, you’re running Firefox, so this isn’t nearly as critical as it may sound. Right?

MS06-022 / KB 918439 – Vulnerability in ART Image Rendering Could Allow Remote Code Execution – rated Critical. ART is an image format used by the AOL client (which is to say, the part of AOL that runs on your computer). Microsoft included ART support with Windows and Internet Explorer, thus the patch, and YAPIE.

MS06-023 / KB 917344 – YAPIE, Yet Another Patch for Internet Explorer, this one dealing with the JScript engine – rated Critical. This is a “companion update” to MS06-021; apparently you’re supposed to install both at the same time. No idea why they broke ’em out this way – MS06-021 had eight or so separate patches anyway.

MS06-024 / KB 917734 – Windows Media Player 10 doesn’t handle PNG images right – rated Critical. This one seems to be the most readily exploitable, at least to my jaundiced eye. You might want to install the Windows Media Player 11 beta , which has been reasonably stable for me. Just don’t get the, uh, Urge to spend real money on MSMTV’s Urge service. Oh. Wait a sec. I guess MS and MTV haven’t merged yet. My bad.

MS06-025 / KB 911280 – More buffer overflow problems, this time with Windows Routing and Remote Access – rated Critical for Windows 2000, but only Important for WinXP Service Pack 2.

MS06-026 / KB 918547 Another buffer overflow in the handling of WMF files – rated Critical. Yeah, MS06-001 in January also tackled a WMF buffer overflow. So did MS06-004 and MS05-052. This is a different hole.

MS06-027 / KB 917336 – Plugs the infamous 0day Word hole, which Microsoft Live OneCare has been blocking for weeks – for a fee – rated Critical. It’s a buffer overflow problem with pointers inside Word docs. I was surprised to see that even the Word 2003 Viewer is affected. Hold off, grasshopper. The media reports of exploits in the wild are way overblown. Let’s see what gets broken in Word 2003, 2002, 2000, and the Word Viewer before you apply the patch.

MS06-028 / KB 916768 – Another buffer overflow hole, this time with PowerPoint 2000, 2002, and 2003 – rated Critical. This is another likely candidate for quick exploitation. I’ll keep you posted.

MS06-029 / KB 912442 – Security hole in Exchange Server running Outlook Web Access – rated Important. You only need to be worried about this one if you have Exchange Server running OWA. Microsoft advises “If you are using Microsoft Exchange Server 2003 Service Pack 1 (SP1) or Microsoft Exchange Server 2003 Service Pack 2 (SP2) and you install this security update, third-party services such as BlackBerry or GoodLink may be affected. Shared mailboxes may also be affected.” Oh boy.

MS06-030 / KB 914389 – Two holes in Server Message Block – rated important.

MS06-031 / KB 917736 – Hole in RPC mutual authentification – rated Moderate. Doesn’t affect WinXP Service Pack 2.

MS06-032 / KB 917953 – Yet another TCP/IP buffer overflow – rated Important. Replaces MS06-007, from three months ago.

Whew.

MS-DEFCON 2

Just a reminder that we’re at MS-DEFCON 2, with a bunch of Automatic Update patches coming shortly.

To repeat my earlier advice: Check to make sure all of your machines, and all of your friends’, neighbors’, and relatives’ machines, to make sure that Automatic Update is set to Notify. Here’s how:

1. Log on to your PC with an administrator account. If you don’t know what an administrator account is, don’t worry about – chances are very good that you have an administrator account already, so just get Windows going.

2. Click Start | Control Panel | Security Center.

3. At the very bottom of the screen, click Automatic Updates. (Don’t click around Automatic Updates at the top. Microsoft has it rigged so if you click in the wrong place, you’ll turn on Automatic Update.)

4. Click the button marked Notify Me but Don’t Automatically Download or Install Them.

5. Click OK. then “X” out of the Security Center, and “X” out of the Control Panel.

Robert Scoble leaving Microsoft

One of my favorite ‘Softies – a guy I’ve admired for many years, for his guts, intelligence, and decency – is leaving Microsoft, headed to a Podcasting startup called PodTech.net, in Menlo Park.

Eric Auchard at Reuters has the story.

Using his blog as a soapbox, Scoble came to personify a new style of corporate honesty in which he publicly spoke his mind on controversial topics. He was often willing to judiciously criticize Microsoft or praise its most fierce competitors. By resisting the role of corporate propagandist, he has won a following among millions of blog watchers as an insightful commentator on blogging, the software industry and the insular world of high-tech culture.

I didn’t agree with everything he said, but he spoke with authority and integrity. He’ll be sorely missed.

Microsoft to Windows 98, SE, ME users: tough luck

Remember MS06-015/KB 908531, the VERCLSID patch? It’s the one that was sent out via Automatic Update on April 15, tax day weekend in the US, and it froze machines running older HP scanning software and certain NVIDIA video drivers. At the time I called it “one of the worst patches ever.”

At the time of MS06-015’s release, Microsoft’s Security Bulletin stated:

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by the vulnerability addressed in this security bulletin? Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. Critical security updates for these platforms may not be available concurrently with the other security updates provided as part of this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site.

Now, nearly two months later, we get this from the Microsoft Security Response Center blog:

[T]oday we’ve made an update to the FAQ in MS06-015 related to the availability of an update for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows to eliminate the vulnerability.

One question, class. How much money did Microsoft make from Windows 98, SE and ME?

Trustworthy computing.

Microsoft says Windows Genuine Spyware NOT Spyware

From our Yeah, Sure department… Microsoft has posted its official denial that Windows Genuine Spyware is, uh, spyware. It’s well worth reading.

Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found… [T]his operation is limited to the download of the new settings file. No additional information is sent to Microsoft.

There’s still a great deal of confusion about whether WGA phones home daily, on reboot, or when a user logs on to Windows XP. I haven’t seen a detailed analysis of the information that WGA sends, but this much is clear. The fact that WGA “phones home” – much like the “Web beacons” of yore – means that Microsoft is capable, at a minimum, of collecting your IP address. If you have an always-on Internet connection, as is the case with cable or DSL, that IP address effectively identifies you uniquely. And if you’ve ever logged on to Hotmail or any Windows “Live” site from the computer running Windows Genuine Spyware, Microsoft also knows your email address, and possibly your physical address. It’s as simple as comparing IP addresses.

Yeah, there’s some wiggle room – the IP address, to a first approximation, uniquely identifies your house or business, not you – but when you look behind Microsoft’s PR agency’s batting eyes and aw-shucks attitude, the fact is that Microsoft has collected personally identifiable information as part of its WGA program.

How do I know? This PowerPoint slide from a presentation by ‘Softie Andrew Forsyth, posted on the Windows Observer Web site two months ago, shows the precise location of all of the people in the US who failed WGA authentication earlier this year.

Microsoft’s press release goes on to say:

Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware.

To my mind, broadly speaking, Windows Genuine Spyware is deceptive software that was pushed onto millions (tens? hundreds of millions?) of Windows customers’ machines, masquerading as an out-of-cycle “critical update” to Windows XP. In 99+% of all cases, it was installed without the user’s knowledge or consent. WGS sends information to Microsoft, without the user’s knowledge or consent. I have no idea how Microsoft uses the collected information, but the fact that it’s personally identifiable – and that Microsoft has used that same identifiable information in the past to pinpoint people geographically – should certainly qualify Windows Genuine Spyware as, er, Spyware.

I repeat: Microsoft can call Windows Genuine Spyware a pilot program, a test version, a work in progress, a beta, an experiment, a boon to the suffering software industry, or the secret to Life, the Universe and Everything. But the minute Microsoft pushes a pirate-sniffing piece of scumware onto your PC, in the guise of a “critical” update – and they use the software to phone home, without your knowledge or consent – they’ve gone way over the line.

Patch for screwed up Outlook Express MS06-016 patch is here, sorta

Two weeks ago I reported that a patch for the botched MS06-016 patch was on the way:

Microsoft is busy preparing Knowledge Base article 918651 which is supposed to describe a patch to the botched MS06-016 Outlook Express patch.

Although the Knowledge Base currently has references to article 918651, article 918651 itself has been yanked, with references going to KB 918776, which covers some of the same ground as the anticipated patch. If I read KB 918776 correctly, here’s what’s happening:

If you use Outlook Express, and

You installed the botched MS06-016/KB 911567 patch, and

You need to use saved Outlook Express .eml files as templates for new messages, then:

1. Install the MS06-016 patch, if you haven’t already (or re-install it if you removed it), then

2. Download and install the KB 918776 patch, as described in the above-referenced KB article, then

3. Edit the Registry. MVP and Outlook Express guru Tom Koch has a simple file that’ll do the job. Or you can do it manually: Start | Run | Regedit, create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HONOR_XUNSENT_IN_FILE . Then in that key, create a DWORD value called msimn.exe, and set it to 1.

That has to be the most incredibly convoluted patch to a patch since the gdiplus screw-up last year.

Confusingly, the download page for KB 918776 claims to not only fix the .eml template bug, but also the Address Book corruption bug. It even claims to back up mail prior to compaction. There’s no description of any of the additional capabilities of the patch that I can find – there doesn’t appear to be anything in the KB covering all of the aspects of the KB 918776 patch – so I have absolutely no idea if the other bugs in MS06-016 have really been fixed or not.

Adding to my confusion: the download page for KB 918776 has a Microsoft Office logo on the top. Of course, MS06-016, the patch, the problems, the patch of the patch, and the convoluted instructions don’t have anything at all to do with Office. They’re all confined to Outlook Express – which isn’t related to Office in any way. Perhaps somebody at Microsoft, er, forgot?

Trustworthy computing.

(Thanks for the heads-up, EP!)

Removing Windows Genuine Spyware

Many of you have written to me asking for instructions on how to remove or disable Windows Genuine Advantage / Windows Genuine Spyware / KB 905474. While you can’t remove 905474 via Windows’ Add/Remove Programs, you can exorcise the critter with the following steps.

UPDATE: This approach is adapted from an Inquirer article posted in late April. I have independent confirmation now that this fix works. The end is a bit scary because you have to re-boot your PC twice – it hangs on the first re-boot.

1. Hold down Ctrl and Alt, and press Del to bring up the Windows Task Manager. Click the Processes tab. Look for a process called wgatray.exe. (If you can’t find wgatray.exe, you don’t have this particularly obnoxious piece of software installed. Breathe a sign of relief and quit.)

2. Click Start | My Computer, double-click on the C: drive, then navigate in Windows Explorer to c:\windows\system32. (If you can’t see those folders, click Tools | Folder Options, click the View tab, click the button to Show Hidden Files and Folders, then uncheck the box that says Hide Protected Operating System Files (Recommended). Windows bellyaches, but click OK. While you’re here, make sure the box marked Hide Extensions For Known File Types is unchecked, too. Click OK, then work your way down to c:\windows\system32.)

3. Navigate down to c:\windows\system32\wgatray.exe. Click once on wgatray.exe.

4. You have to perform the next two steps quickly, so make sure you can see both the Processes tab and the wgatray.exe file at the same time.

5. Over in the Task Manager, click once on wgatray.exe, then click End Process.

6. Immediately after, in Windows Explorer, click on the file wgatray.exe, and push Delete.

(You have to do both because each copy of wgatray.exe will re-install the other.)

7. In Windows Explorer, press F5 and verify that wgatray.exe is well and truly gone. If it isn’t, repeat steps 5 and 6, quickly, until you drive a stake through WGS’s heart.

8. You aren’t done yet. Re-boot your computer. Click Start | My Computer, and navigate to c:\windows\system32\wgalogon.dll. Right-click on it and rename it to, oh, wgalogon.dll.evil. Then click once on the renamed file and press Delete.

9. Similarly, navigate to c:\windows\system32\dllcache\wgalogon.dll. Right-click on it and rename it. Then click on it once and press Delete.

10. Reboot your computer. According to the instructions at the Inquirer “Your system may hang when you reboot it the first time, but when it is brought back up, THE SPYWARE IS ALL GONE.”

Once again, if you have any comments, send me mail!

UPDATE: My Digital Life lists sixteen – count ’em! – sixteen different methods for removing or mitigating the effect of KB 905474. I’ll let you know when I find out, for sure, which ones work with the current version of WGS.

Windows Genuine Spyware shows its fangs

Yesterday, I talked about the way Windows Genuine Advantage had turned into Windows Genuine Spyware. Microsoft’s stealthy installation of the new version of WGA as part of the mid-month “April Fools Patches” started the ball rolling. Then we found out about WGS’s identification (sometimes mis-identification) and branding of undocumented copies of Windows. And then we learned that WGS “phones home” to Mother Microsoft every time you re-boot your machine. All in all, it made the Sony Rootkit look like an amateurish precursor. Only Microsoft could well and truly blanket the world – certainly tens, probably hundreds of millions of machines – with classic spyware.

Oh, and this new, improved version of Windows Genuine Spyware can’t be uninstalled. Did I mention that?

Now comes word that the situation’s worse than I originally thought.

ZDNet’s David Berlin reports that Windows Genuine Spyware phones home every day. There’s some sort of not-very-well-described capability to alter WGS’s activities. David confirms that WGS gets installed (at least in the US) without your knowledge or consent, on systems with Windows Update activated, and he also discusses the possibility that Microsoft’s new firewall may conveniently “forget” to log outbound pings from Microsoft software.

That makes me very wary about Windows Vista’s new outbound firewall. I guess some pigs are more equal than others, eh?

I take issue with David’s statement:

Making Microsoft the subject of a witchhunt because it still has to do some more quality testing on something that is, according to the EULA, a pre-release service is a waste of time. At best, what we’re seeing here is a work-in-progress where there’s more work to be done not just in the area of disclosure as Microsoft has already acknowledged, but also on the user experience…

Here’s why I disagree. If Microsoft needs to do quality testing on a pre-release service, it sure as hell has no right to “push” that beta software onto my PC. Whether Microsoft bills WGS as a beta, as a pre-release version, as a work in progress, or as holy writ makes absolutely no difference. The minute Microsoft installs spyware on my PC without my knowledge or consent, they’ve stepped over the line.

As I’ve said many times before: this isn’t a conspiracy. Microsoft makes mistakes. The problem is that so many people in positions of authority make so many really stupid mistakes, you’re a chump if you let Microsoft control your PC. Turn off Automatic Updates. Get independent confirmation about patches before you allow them on your machine.

Passle of Patches – batten down the hatches

Microsoft has just announced that it will issue twelve Security Bulletins on Patch Tuesday, June 13. In a PC World interview, Susan Bradley notes that many patch administrators will be at TechEd on Tuesday. Life’s going to get interesting.

Apparently Microsoft will offer a free fix for the 0day hole in Word that I’ve been talking about – the one that Microsoft’s Windows Live OneCare now offers to fix for a mere $49.

This Patch Tuesday also marks the end of the line for the Eolas patent patch by-pass. Microsoft will well and truly force all Internet Explorer users to downgrade, due to Microsoft’s expropriation of technology and loss of the subsequent lawsuit.

All in all, it’s going to be a hellacious Tuesday. I’m raising the MS-DEFCON level to 2, which means you shouldn’t install any new patches until the victims with Automatic Updates turned on start wailing about Microsoft’s mistakes. Now’s a very good time to check all of your machines, and all of your friends’, neighbors’, and relatives’ machines, to make sure that Automatic Update is set to Notify. Here’s how:

1. Log on to your PC with an administrator account. If you don’t know what an administrator account is, don’t worry about – chances are very good that you have an administrator account already, so just get Windows going.

2. Click Start | Control Panel | Security Center.

3. At the very bottom of the screen, click Automatic Updates. (Don’t click around Automatic Updates at the top. Microsoft has it rigged so if you click in the wrong place, you’ll turn on Automatic Update.)

4. Click the button marked Notify Me but Don’t Automatically Download or Install Them.

5. Click OK. then “X” out of the Security Center, and “X” out of the Control Panel.

Keep watching here – and in Windows Secrets newsletter – for the latest news. I’ll lower the MS-DEFCON level when I’m satisifed that Microsoft’s cure is better than the disease.

Windows Vista Beta 2 now available for download

In the past few minutes, Microsoft posted the “official” Windows Vista Beta 2 bits here.

The Servers will melt down in about ten minutes, but if you’re persistent, you’ll get a copy sooner or later.

The original announcement appeared before the site was ready, at MSBlog.

Neowin points to BartysBlog for information on how to get a key.

After you download the file, you’ll have to burn it to DVD using software that can handle ISOs, or you can access the file from a network using an ISO emulator such as UltraISO ($29.95) or the Paragon Emulator personal edition, which is free.

Notes: At 3.13 GB, it’s a big hummer. The fiename indicates it’s Build 5384.4, which is the same build that was released at WinHEC, and has been available via MSDN, and on the newsgroups, for weeks. No official confirmation whether it’s really the same build, but it seems likely. Oh. And the download manager requires Sun Java, natch. No yechy ActiveX here, no sireee.

UPDATE: A good friend just wrote to advise that the version of Beta 2 available on Microsoft’s site, called Build 5384.4, is indeed precisely the same version as the one distributed at WinHEC, which is the same as the one made available to MSDN members, and the version that was widely available on the newsgroups about two weeks ago.