MS-DEFCON 2

Just a reminder that we’re at MS-DEFCON 2, with a bunch of Automatic Update patches coming shortly.

To repeat my earlier advice: Check to make sure all of your machines, and all of your friends’, neighbors’, and relatives’ machines, to make sure that Automatic Update is set to Notify. Here’s how:

1. Log on to your PC with an administrator account. If you don’t know what an administrator account is, don’t worry about – chances are very good that you have an administrator account already, so just get Windows going.

2. Click Start | Control Panel | Security Center.

3. At the very bottom of the screen, click Automatic Updates. (Don’t click around Automatic Updates at the top. Microsoft has it rigged so if you click in the wrong place, you’ll turn on Automatic Update.)

4. Click the button marked Notify Me but Don’t Automatically Download or Install Them.

5. Click OK. then “X” out of the Security Center, and “X” out of the Control Panel.

Robert Scoble leaving Microsoft

One of my favorite ‘Softies – a guy I’ve admired for many years, for his guts, intelligence, and decency – is leaving Microsoft, headed to a Podcasting startup called PodTech.net, in Menlo Park.

Eric Auchard at Reuters has the story.

Using his blog as a soapbox, Scoble came to personify a new style of corporate honesty in which he publicly spoke his mind on controversial topics. He was often willing to judiciously criticize Microsoft or praise its most fierce competitors. By resisting the role of corporate propagandist, he has won a following among millions of blog watchers as an insightful commentator on blogging, the software industry and the insular world of high-tech culture.

I didn’t agree with everything he said, but he spoke with authority and integrity. He’ll be sorely missed.

Microsoft to Windows 98, SE, ME users: tough luck

Remember MS06-015/KB 908531, the VERCLSID patch? It’s the one that was sent out via Automatic Update on April 15, tax day weekend in the US, and it froze machines running older HP scanning software and certain NVIDIA video drivers. At the time I called it “one of the worst patches ever.”

At the time of MS06-015’s release, Microsoft’s Security Bulletin stated:

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by the vulnerability addressed in this security bulletin? Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. Critical security updates for these platforms may not be available concurrently with the other security updates provided as part of this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site.

Now, nearly two months later, we get this from the Microsoft Security Response Center blog:

[T]oday we’ve made an update to the FAQ in MS06-015 related to the availability of an update for Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME). Specifically, after extensive investigation, we’ve found that it’s not feasible to make the extensive changes necessary to Windows Explorer on these older versions of Windows to eliminate the vulnerability.

One question, class. How much money did Microsoft make from Windows 98, SE and ME?

Trustworthy computing.

Microsoft says Windows Genuine Spyware NOT Spyware

From our Yeah, Sure department… Microsoft has posted its official denial that Windows Genuine Spyware is, uh, spyware. It’s well worth reading.

Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found… [T]his operation is limited to the download of the new settings file. No additional information is sent to Microsoft.

There’s still a great deal of confusion about whether WGA phones home daily, on reboot, or when a user logs on to Windows XP. I haven’t seen a detailed analysis of the information that WGA sends, but this much is clear. The fact that WGA “phones home” – much like the “Web beacons” of yore – means that Microsoft is capable, at a minimum, of collecting your IP address. If you have an always-on Internet connection, as is the case with cable or DSL, that IP address effectively identifies you uniquely. And if you’ve ever logged on to Hotmail or any Windows “Live” site from the computer running Windows Genuine Spyware, Microsoft also knows your email address, and possibly your physical address. It’s as simple as comparing IP addresses.

Yeah, there’s some wiggle room – the IP address, to a first approximation, uniquely identifies your house or business, not you – but when you look behind Microsoft’s PR agency’s batting eyes and aw-shucks attitude, the fact is that Microsoft has collected personally identifiable information as part of its WGA program.

How do I know? This PowerPoint slide from a presentation by ‘Softie Andrew Forsyth, posted on the Windows Observer Web site two months ago, shows the precise location of all of the people in the US who failed WGA authentication earlier this year.

Microsoft’s press release goes on to say:

Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware.

To my mind, broadly speaking, Windows Genuine Spyware is deceptive software that was pushed onto millions (tens? hundreds of millions?) of Windows customers’ machines, masquerading as an out-of-cycle “critical update” to Windows XP. In 99+% of all cases, it was installed without the user’s knowledge or consent. WGS sends information to Microsoft, without the user’s knowledge or consent. I have no idea how Microsoft uses the collected information, but the fact that it’s personally identifiable – and that Microsoft has used that same identifiable information in the past to pinpoint people geographically – should certainly qualify Windows Genuine Spyware as, er, Spyware.

I repeat: Microsoft can call Windows Genuine Spyware a pilot program, a test version, a work in progress, a beta, an experiment, a boon to the suffering software industry, or the secret to Life, the Universe and Everything. But the minute Microsoft pushes a pirate-sniffing piece of scumware onto your PC, in the guise of a “critical” update – and they use the software to phone home, without your knowledge or consent – they’ve gone way over the line.

Patch for screwed up Outlook Express MS06-016 patch is here, sorta

Two weeks ago I reported that a patch for the botched MS06-016 patch was on the way:

Microsoft is busy preparing Knowledge Base article 918651 which is supposed to describe a patch to the botched MS06-016 Outlook Express patch.

Although the Knowledge Base currently has references to article 918651, article 918651 itself has been yanked, with references going to KB 918776, which covers some of the same ground as the anticipated patch. If I read KB 918776 correctly, here’s what’s happening:

If you use Outlook Express, and

You installed the botched MS06-016/KB 911567 patch, and

You need to use saved Outlook Express .eml files as templates for new messages, then:

1. Install the MS06-016 patch, if you haven’t already (or re-install it if you removed it), then

2. Download and install the KB 918776 patch, as described in the above-referenced KB article, then

3. Edit the Registry. MVP and Outlook Express guru Tom Koch has a simple file that’ll do the job. Or you can do it manually: Start | Run | Regedit, create the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HONOR_XUNSENT_IN_FILE . Then in that key, create a DWORD value called msimn.exe, and set it to 1.

That has to be the most incredibly convoluted patch to a patch since the gdiplus screw-up last year.

Confusingly, the download page for KB 918776 claims to not only fix the .eml template bug, but also the Address Book corruption bug. It even claims to back up mail prior to compaction. There’s no description of any of the additional capabilities of the patch that I can find – there doesn’t appear to be anything in the KB covering all of the aspects of the KB 918776 patch – so I have absolutely no idea if the other bugs in MS06-016 have really been fixed or not.

Adding to my confusion: the download page for KB 918776 has a Microsoft Office logo on the top. Of course, MS06-016, the patch, the problems, the patch of the patch, and the convoluted instructions don’t have anything at all to do with Office. They’re all confined to Outlook Express – which isn’t related to Office in any way. Perhaps somebody at Microsoft, er, forgot?

Trustworthy computing.

(Thanks for the heads-up, EP!)

Removing Windows Genuine Spyware

Many of you have written to me asking for instructions on how to remove or disable Windows Genuine Advantage / Windows Genuine Spyware / KB 905474. While you can’t remove 905474 via Windows’ Add/Remove Programs, you can exorcise the critter with the following steps.

UPDATE: This approach is adapted from an Inquirer article posted in late April. I have independent confirmation now that this fix works. The end is a bit scary because you have to re-boot your PC twice – it hangs on the first re-boot.

1. Hold down Ctrl and Alt, and press Del to bring up the Windows Task Manager. Click the Processes tab. Look for a process called wgatray.exe. (If you can’t find wgatray.exe, you don’t have this particularly obnoxious piece of software installed. Breathe a sign of relief and quit.)

2. Click Start | My Computer, double-click on the C: drive, then navigate in Windows Explorer to c:\windows\system32. (If you can’t see those folders, click Tools | Folder Options, click the View tab, click the button to Show Hidden Files and Folders, then uncheck the box that says Hide Protected Operating System Files (Recommended). Windows bellyaches, but click OK. While you’re here, make sure the box marked Hide Extensions For Known File Types is unchecked, too. Click OK, then work your way down to c:\windows\system32.)

3. Navigate down to c:\windows\system32\wgatray.exe. Click once on wgatray.exe.

4. You have to perform the next two steps quickly, so make sure you can see both the Processes tab and the wgatray.exe file at the same time.

5. Over in the Task Manager, click once on wgatray.exe, then click End Process.

6. Immediately after, in Windows Explorer, click on the file wgatray.exe, and push Delete.

(You have to do both because each copy of wgatray.exe will re-install the other.)

7. In Windows Explorer, press F5 and verify that wgatray.exe is well and truly gone. If it isn’t, repeat steps 5 and 6, quickly, until you drive a stake through WGS’s heart.

8. You aren’t done yet. Re-boot your computer. Click Start | My Computer, and navigate to c:\windows\system32\wgalogon.dll. Right-click on it and rename it to, oh, wgalogon.dll.evil. Then click once on the renamed file and press Delete.

9. Similarly, navigate to c:\windows\system32\dllcache\wgalogon.dll. Right-click on it and rename it. Then click on it once and press Delete.

10. Reboot your computer. According to the instructions at the Inquirer “Your system may hang when you reboot it the first time, but when it is brought back up, THE SPYWARE IS ALL GONE.”

Once again, if you have any comments, send me mail!

UPDATE: My Digital Life lists sixteen – count ’em! – sixteen different methods for removing or mitigating the effect of KB 905474. I’ll let you know when I find out, for sure, which ones work with the current version of WGS.

Windows Genuine Spyware shows its fangs

Yesterday, I talked about the way Windows Genuine Advantage had turned into Windows Genuine Spyware. Microsoft’s stealthy installation of the new version of WGA as part of the mid-month “April Fools Patches” started the ball rolling. Then we found out about WGS’s identification (sometimes mis-identification) and branding of undocumented copies of Windows. And then we learned that WGS “phones home” to Mother Microsoft every time you re-boot your machine. All in all, it made the Sony Rootkit look like an amateurish precursor. Only Microsoft could well and truly blanket the world – certainly tens, probably hundreds of millions of machines – with classic spyware.

Oh, and this new, improved version of Windows Genuine Spyware can’t be uninstalled. Did I mention that?

Now comes word that the situation’s worse than I originally thought.

ZDNet’s David Berlin reports that Windows Genuine Spyware phones home every day. There’s some sort of not-very-well-described capability to alter WGS’s activities. David confirms that WGS gets installed (at least in the US) without your knowledge or consent, on systems with Windows Update activated, and he also discusses the possibility that Microsoft’s new firewall may conveniently “forget” to log outbound pings from Microsoft software.

That makes me very wary about Windows Vista’s new outbound firewall. I guess some pigs are more equal than others, eh?

I take issue with David’s statement:

Making Microsoft the subject of a witchhunt because it still has to do some more quality testing on something that is, according to the EULA, a pre-release service is a waste of time. At best, what we’re seeing here is a work-in-progress where there’s more work to be done not just in the area of disclosure as Microsoft has already acknowledged, but also on the user experience…

Here’s why I disagree. If Microsoft needs to do quality testing on a pre-release service, it sure as hell has no right to “push” that beta software onto my PC. Whether Microsoft bills WGS as a beta, as a pre-release version, as a work in progress, or as holy writ makes absolutely no difference. The minute Microsoft installs spyware on my PC without my knowledge or consent, they’ve stepped over the line.

As I’ve said many times before: this isn’t a conspiracy. Microsoft makes mistakes. The problem is that so many people in positions of authority make so many really stupid mistakes, you’re a chump if you let Microsoft control your PC. Turn off Automatic Updates. Get independent confirmation about patches before you allow them on your machine.

Passle of Patches – batten down the hatches

Microsoft has just announced that it will issue twelve Security Bulletins on Patch Tuesday, June 13. In a PC World interview, Susan Bradley notes that many patch administrators will be at TechEd on Tuesday. Life’s going to get interesting.

Apparently Microsoft will offer a free fix for the 0day hole in Word that I’ve been talking about – the one that Microsoft’s Windows Live OneCare now offers to fix for a mere $49.

This Patch Tuesday also marks the end of the line for the Eolas patent patch by-pass. Microsoft will well and truly force all Internet Explorer users to downgrade, due to Microsoft’s expropriation of technology and loss of the subsequent lawsuit.

All in all, it’s going to be a hellacious Tuesday. I’m raising the MS-DEFCON level to 2, which means you shouldn’t install any new patches until the victims with Automatic Updates turned on start wailing about Microsoft’s mistakes. Now’s a very good time to check all of your machines, and all of your friends’, neighbors’, and relatives’ machines, to make sure that Automatic Update is set to Notify. Here’s how:

1. Log on to your PC with an administrator account. If you don’t know what an administrator account is, don’t worry about – chances are very good that you have an administrator account already, so just get Windows going.

2. Click Start | Control Panel | Security Center.

3. At the very bottom of the screen, click Automatic Updates. (Don’t click around Automatic Updates at the top. Microsoft has it rigged so if you click in the wrong place, you’ll turn on Automatic Update.)

4. Click the button marked Notify Me but Don’t Automatically Download or Install Them.

5. Click OK. then “X” out of the Security Center, and “X” out of the Control Panel.

Keep watching here – and in Windows Secrets newsletter – for the latest news. I’ll lower the MS-DEFCON level when I’m satisifed that Microsoft’s cure is better than the disease.

Windows Vista Beta 2 now available for download

In the past few minutes, Microsoft posted the “official” Windows Vista Beta 2 bits here.

The Servers will melt down in about ten minutes, but if you’re persistent, you’ll get a copy sooner or later.

The original announcement appeared before the site was ready, at MSBlog.

Neowin points to BartysBlog for information on how to get a key.

After you download the file, you’ll have to burn it to DVD using software that can handle ISOs, or you can access the file from a network using an ISO emulator such as UltraISO ($29.95) or the Paragon Emulator personal edition, which is free.

Notes: At 3.13 GB, it’s a big hummer. The fiename indicates it’s Build 5384.4, which is the same build that was released at WinHEC, and has been available via MSDN, and on the newsgroups, for weeks. No official confirmation whether it’s really the same build, but it seems likely. Oh. And the download manager requires Sun Java, natch. No yechy ActiveX here, no sireee.

UPDATE: A good friend just wrote to advise that the version of Beta 2 available on Microsoft’s site, called Build 5384.4, is indeed precisely the same version as the one distributed at WinHEC, which is the same as the one made available to MSDN members, and the version that was widely available on the newsgroups about two weeks ago.

Windows Genuine Nagware becomes Windows Genuine Spyware

A few weeks ago, Microsoft slipped a new version of Windows Genuine Advantage onto every computer that had Automatic Updates turned on. The new, improved, stealthily-installed WGA examines your system to see if you have a Microsoft-documented copy of Windows and, if not, displays the message “This copy of Windows is not genuine” on your desktop. I call it Windows Genuine Nagware.

But that’s old news. The new news:

Lauren Weinstein reports that WGA “phones home” every time you re-boot your computer, reporting back to Mother Microsoft. And it does so without your knowledge or consent.

It appears that even on [validated] systems, the MS tool will now attempt to contact Microsoft over the Internet every time that you boot… The connections occur even if you do not have Windows “automatic update” enabled… I fail to see where Microsoft has a “need to know” for this data after a system’s validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information… I’ll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware.

Microsoft, in its inimitable way, is now saying that “It’s kind of a safety switch… We’re looking at ways to communicate that in a more forward manner.” Oh brother.

Adding, uh, insult to insult, many of Microsoft’s legitimate customers report that they’re getting the “This copy of Windows is not genuine” message on perfectly valid, genuine copies of Windows – even copies of Windows that had been scanned by earlier versions of WGA and found to be genuine.

What really irks me is this revisionist drivel from Yahoo News:

The [WGA] tool, part of the Redmond company’s bid to thwart widespread piracy, is being distributed gradually to people who have signed up to receive Windows security updates. The company expects to have offered it to all users worldwide by the end of the year. [Microsoft WGA chief David] Lazar said that so far, about 60 percent of users who were offered the piracy check decided to install it. Once installed, the program checks to make sure the version of Windows a user is running is legitimate, and gathers information such as the computer’s manufacturer and the language and locale it is set for. That information-gathering is disclosed in a licensing agreement. But the agreement does not make clear that the program also is designed to “call home” to Microsoft’s servers, to make sure that it should keep running.

I’m sorry, but that’s unadulterated crap. Most of the people who got hit with the new version of Windows Genuine Advantage never saw it coming – Microsoft simply injected it into their machines, as part of an out-of-sequence “Critical” security update last month. Anybody foolish enough to have Automatic Updates enabled got hit. There was no “offer” to install the new WGA. No licensing agreement. No notification at all.

Yahoo News is simply reporting Microsoft’s version of the events, without independently verifying the facts.

Google Spreadsheets in limited beta

I just spent a hellacious evening trying to figure out how to make a simple chart in Excel 2007. The new icons-only interface drove me nuts.

Want to see the future of spreadsheets? Hurry over and sign up for the Google Spreadsheets beta.

Online collaboration. Accessible from anyplace with a Web connection. No, Google Spreadsheets doesn’t have very many features – I couldn’t even use it to draw the chart last night – but the Googlies are hard at work adding useful capabilities.

Then there’s Writely, the collaboration-friendly online word processor that’s, oh, wait a sec. Google owns Writely. Imagine that.

If you want to collaborate in Microsoft Office, you need Exchange Server and SharePoint Server, at a minimum. I, for one, won’t install either. I figure it’s like inviting the QEII to dock in my front yard. I don’t need the hassles, the overhead, the expense, or the Six Flags style learning curve.

Google’s approach is different. If you can get on the Web, you have all the plumbing at hand for collaboration. All we consumers need now are the apps. Google’s going to let the Web do the heavy collaborative lifting. And, along the way, they’re going to lose the decades of backward compatibility and tons of specialized Office features that few people ever need. Smart.

For those of you who have complained (for years!) that Microsoft’s products are too expensive, too bloated, too… well, you know…. there appears to be a viable alternative on the horizon. Sign up, and stay tuned.

Vista shoes continue to drop

Remember XPS, Microsoft’s grotesque new PDF-competitor file format that caused so many problems when people tried to read the first Vista Product Guide? (The ‘Softies only published the original Product Guide in XPS – no, not the Information Rights Management enhanced Word 2003 format. XPS. Guess there’s a lesson about eating four-year-old dog food floating around there somewhere.)

Anyway, Whooooosh… XPS is out the door. Paul Thurrott reports that there won’t be any support in Windows Vista for exporting files into XPS format, and there won’t be any XPS viewers built into Vista. Microsoft hints that it will continue to use XPS technology beneath the covers in Windows Vista, but that’s the extent of it. Sounds like Adobe is going to sue the living daylights out of Microsoft over its XPS technology.

In the same article, Paul also reports that PC-to-PC Sync, another widely anticipated feature in the next version of Windows, is out.

User Account Control is in for a huge makeover (thank heaven). Steve Hiskey at Microsoft writes about many changes to User Account Control in Vista “RC1” – which really has me worried because we haven’t seen RC0 yet.

I think the reason why Microsoft has delayed open deployment of Beta 2 is that they’re going to come up with a “new, better” Beta 2, probably this week. Whether it’ll be Build 5384.5, or some other build number, I don’t know. They might even call it RC0. But I don’t think we’ve seen the real Beta 2 yet.

At least, I hope not. I’m running Vista on four machines now, and two of them are very flakey.