Can Microsoft deliver perfect patches?

Windows Secrets Newsletter • Issue 62 • 2005-10-13 • Circulation: over 400,000

Table of contents

Introduction: Something wormy this way comes
Top Story: Can MS deliver perfect patches everytime?
Index of Reviews: We’re adding cell phones to the index
Windows Secrets: Even antivirus software can’t be 100% secure
Woody's Windows: Office SP2 chokes on Windows DiskCleanup
Patch Watch: Fasten your seatbelts for the October patches
Wacky Web Week: Highlander in 30 sec., re-enacted by bunnies

Something wormy this way comes

Our team of Windows experts predicts that a serious worm attack will blaze across the Internet soon. This is due to a security hole that Microsoft announced on Oct. 11.

The remedy is a patch called MS05-051. It’s one of 8 the Redmond company released on its regular Patch Tuesday schedule. All of these patches may be significant to you. But it’s particularly important that Windows XP users upgrade to Service Pack 2 (if you already haven’t) and that users of Windows 2000, XP, and other versions install MS05-051 to protect against the oncoming malware.

This hole is so easy to exploit that those in the know are moving quickly. Third-party security-software updates have already been released by McAfee and Internet Security Systems, and other vendors will soon bring out their own updates, if they haven’t already.

To make matters worse, a hacked .avi media file can also silently infect Windows users who play it, even users of XP SP2 and Windows Server 2003. MS05-050 fixes this.

For this topic, I’ve commissioned a special patch analysis (below) by Ryan Russell, a recognized authority. Ryan is a white-hat hacker who’s authored several books and now helps corporations keep their systems protected.

This worrisome situation has spawned a debate among our contributing editors. On the one hand, Microsoft’s patches sometimes have negative side-effects. On the other hand, waiting weeks to see whether a patch has a bug can expose you to a devastating Internet intrusion.

We decided early this year to publish on a new schedule to solve this dilemma. Our twice-monthly newsletter now comes out a mere two days after every Patch Tuesday, and two weeks after that. Our contributors stay up past midnight on Patch Tuesday researching any reported patch issues. You can then read the newsletter on Thursday and learn how to avoid any problems we find. That should give you the confidence to install the latest patches on Friday or Saturday, before hackers can (so far) code and launch a worm.

This week’s articles by Chris Mosby, Susan Bradley, and Woody Leonhard appear in the paid version of the newsletter. Ryan Russell’s insight into the new threat and Microsoft’s updates is included in the free version this week but will move to the paid version in future issues.

Someday, Microsoft will release software that doesn’t need monthly patches. Until then, we’ll keep our eyes peeled and produce the best information we can to help you. —Brian Livingston, Editor

Top Story

Can MS deliver perfect patches everytime?

By Ryan Russell

The last few years, I’ve found myself doing quality-assurance work for a vendor that sells software to large enterprise customers. That means, among other things, that I’m responsible for checking the updates and patches that go out to those customers.

I also find myself somewhat sympathetic to other vendors regarding how long it takes to prepare a good patch release.

I don’t think there’s a one-size-fits-all amount of time before a patch must be released. However, I can see that the 30 to 60 days that some vulnerability researchers call for is often on the low side.

To be sure, there’re some extreme cases that I find appalling. For example, David Litchfield claims Oracle took around two years to release a set of patches, which reportedly failed to actually fix many of the problems. I’ll take David’s word for it, since he found those issues in the first place. Against that standard, Microsoft doesn’t look too bad.

In fact, Microsoft has a very good reason to try to get its patches perfect the first time, every time. Two reasons, actually.

First, most of the advisories from security researchers are now released on Patch Tuesday. It used to be that Microsoft’s patch releases were irregularly scheduled, so responsible researchers wouldn’t know exactly when to put out their advisories. This would usually leave at least a few hours after a Microsoft announcement before a researcher’s advisory (sometimes with exploit details) was publicly posted. Now the details come out almost simultaneously with the patch.

Second, the patched binary files themselves are often the most useful roadmaps showing exactly where vulnerabilities lie.

Today’s tools easily decode patches

If a researcher can discover the exact vulnerability from the binary patch itself, the cat is out of the bag the moment the patch is released. This means Microsoft really only has one shot to get the patch right before the clock starts ticking. If the Redmond company makes an error that prevents people from immediately deploying the patch, the exploit authors get a head start.

It turns out that they don’t need much of a lead. The technique of comparing an old binary with the patched one to discover the differences must be as old as patches themselves.

Several years ago, I used such a technique myself when Microsoft released patches for vulnerabilities they’d discovered in-house. I needed to write an IDS (intrusion detection system) rule to catch exploitation attempts. The only place to see the problem was in the patch file itself.

In my case, I was doing it by hand, and it was painfully tedious. Nowadays, there are tools that make this kind of work a snap. These utilities include BinDiff by Halvar Flake and Process Stalker by Pedram Amini.

Halvar even released a Flash movie recently, in which he demonstrates how he found the vulnerability that’s fixed by MS05-025. It takes him 20 minutes.

How often does Microsoft blow it?

I’m one of the moderators of the PatchManagement.org mailing list. As such, I get to see just how often people have trouble with Microsoft patches.

To be completely fair, Microsoft is not at all alone in having problems, and I’d tend to rate them better than most. In the recent past, there have been discussion threads regarding patch woes with Adobe, McAfee, and Cisco. But most of the discussion is about Microsoft patches, probably because that’s the core of the community that’s formed.

In August 2005, there was a widely reported problem. Several of the patches would not install, depending on exactly how and where you downloaded them.

Turns out that some of the uploads to Microsoft’s various distribution points didn’t succeed. The patches, which were IE updates, were essentially corrupt. The digital signatures didn’t verify, so servers didn’t even try to install the corrupt patches, which is a good thing. The bad thing is that some patch-installation mechanisms were temporarily broken. Meanwhile, anyone who wanted to write an exploit could find a good copy of the patch and start their work.

It wasn’t as bad as it might have been. Both the Microsoft Update and Windows Update download locations worked. This meant home users typically could still get the patch fine, and knowledgeable admins still did have a place to could go to find a good copy. But not all of them did.

Only five days ’til the worm turns

That’s the same week Zotob (and its friends) came out. You remember those worms, right? They’re the ones that started crashing computers at large news agencies, including CNN, ABC, and the New York Times. Lo and behold, these worms became big news because of that. It took a scant 5 days after Aug. 9 — which was Patch Tuesday — to the release of Zotob.A on August 14.

The news agencies didn’t start reporting on the worm in a big way until a couple of days after that. That’s because the copycat worms that came out a few days after Zotob had bugs that caused crashes. That’s right — those same news agencies had probably been riddled with Zotob all along but didn’t know it because it was a relatively well-behaved critter. It wasn’t until the variants, which had the nasty habit of crashing things, came along that they noticed, because then the on-air talent couldn’t compute.

I hope no one reading this newsletter has to have badly written malware infect them before they notice a problem. But I digress.

Which patch will spawn the worst worm?

It looks like everyone’s favorite candidate this month is MS05-051. This patch fixes a very similar set of vulnerabilities as MS05-039, the August 2005 bulletin that generated Zotob. One difference this time is that XP and Windows Server 2003 don’t run some of the vulnerable services by default.

This means that when the inevitable worm is released, you can expect a lot of infected Windows 2000 machines. In theory, XP SP0 will have a large share of problems, too. Can you really be using XP these days without at least installing SP2?

A year ago, Kevin Mitnick (coauthor of The Art of Intrusion) and I did a study for USA Today. We connected some unprotected XP (and other) machines to the Internet and watched unpatched XP boxes get owned in as little as 4 minutes.

Granted, you can do hotfixes and such and maybe get by, but it’s difficult to imagine not having XP SP2 be your firm, minimal baseline. Are any readers getting by with less than SP2 on XP? I’d be curious to hear about it. [Editor's Note: Submit tips using our contact page.]

Please put MS05-051 on your fast track to install. But that’s not the only one. MS05-050 and MS05-052 are also rated “Critical.” Note that MS05-052 affects IE, for those of you who use Microsoft’s browser.

There are many spammers, phishers, spyware authors, and other general scum who are dying to have a working exploit for the critical holes. They badly want you for your identity and your financial information and to run their botnets on your CPU. They’re often willing to pay other black hats cold cash in exchange for their exploits to be quietly installed on your PCs.

The coming days will show us just how easy these holes will be for the bad guys to take advantage of. For now, assume that’s it’s very practical, and don’t wait to prepare yourself.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Index of Reviews

We’re adding cell phones to the index

Cell phones are becoming essential peripherals. After much research, we’ve decided to add cell-phone rankings to the other products in the Index of Reviews. We’ve found trusted reviewers who rate the latest cellular devices, in categories such as smart phones, camera phones, world phones, multimedia phones, and entry-level phones.

It’s hard to find a ding-a-ling these days that’s nothing but a phone. The extras include MP3 playback, e-mail, cameras up to 2 megapixels, streaming video, and more. This issue, we’re devoting the entire Index of Reviews just to cell phones. In future issues, phones will appear in this section whenever new test results come out.

		CELLPHONES Mobile Mag names favorite phones of 2005 Mobile Magazine puts 59 phones through their paces to find the best smart phones, multimedia handsets, and entry-level models. The Sidekick II (photo, left) and PalmOne’s Treo 650 emerged as the highest-rated smart phones. Danger Sidekick II (Smart phones, Mobile Choice, Score: 5.0/5.0) PalmOne Treo 650 (Smart phones, Mobile Choice, 5.0) RIM BlackBerry 7100t (Smart phones, Mobile Choice, 4.5) Motorola V710 (Midrange/multimedia phones, Mobile Choice, 4.5) Motorola Razr V3 (Midrange/multimedia phones, Mobile Choice, 4.0) Nokia 6682 (Midrange/multimedia phones, Mobile Choice, 4.0) Samsung SGH-P207 (Entry-level phones, Mobile Choice, 4.5) Link to all ratings and full review
		CAMERAPHONES Photographers pick 2005′s best camera phones Unable to ignore the progress that camera phones have made, American Photo Magazine includes them in this year’s Editors’ Choice 2005 awards. Of the 13 phones tested, they give special recognition to models from LG (left) and Nokia. LG VX8000 (Best Buy) Nokia N90 (Breakthrough, not yet released) Link to all ratings and full review
		SMARTPHONES Treo gets the nod from Laptop Mag Laptop Magazine puts phone/PDA crossbreeds head-to-head to find the best multitasking device. Echoing Mobile Mag’s ratings (above), PalmOne’s Treo 650 beats six other models for the laptop publication’s top spot. PalmOne Treo 650 (Editors’ Choice, Score: 4.5/5.0) Link to all ratings and full review
		WORLDPHONES Déjà vu, Treo gets CNET’s vote, too The Treo 650 wins the prize again, this time in CNET’s tests of seven world phones. In order for a GSM handset to be considered a world phone, it must support triband (900/1800/1900) or quadband (850/900/1800/1900) frequencies. PalmOne Treo 650 (Score: 8.3/10.0) Link to all ratings and full review
		CELLPHONES 2 Motorola offerings top PC Mag phone list PC Magazine adds two new models from Motorola to its list of top-rated cell phones. Both the i355 and the E815 (photo, left) are praised for offering numerous features at a reasonable price. Motorola E815 (Editors’ Choice, Score: 4.0/4.0) Nextel i355 (Editors’ Choice, 4.0) Motorola V551 (Editors’ Choice, 4.0) Sprint MM-5600 (Editors’ Choice, 4.0) Link to all ratings and full review
		CAMERAPHONES PC Mag selects the 2 best camera phones The editors at PC Magazine put six 1- and 2-megapixel camera phones through a battery of tests. Two phones excelled at doing double-duty — the Nokia 6682 (photo, left) and the Samsung MM-A800 — and each earned an Editors’ Choice award. Nokia 6682 (Editors’ Choice, Score: 4.0/5.0) Sprint PCS Vision MM-A800 by Samsung (Editors’ Choice, 4.0) Link to all ratings and full review
		CELLPHONES 11 phones in Sync, each for a reason Sync Magazine’s editors put their trademark spin on the traditional review process by honoring several different phones for different purposes. Eleven phones are chosen, each of which has at least one key feature that sets it apart. Motorola Black Razr V3 (Best for class acts) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Windows Secrets

Even antivirus software can’t be 100% secure

By Chris Mosby

This may be a tough thing to hear, but it’s true. Even antivirus software has bugs and vulnerabilities that can be exploited, if someone takes enough time to look for them.

Lately, there seems to be a rash of these vulnerabilities. That’s a risk we all take when we deal with software. We just have to hope we can keep our security suites as safe and secure as possible.

The best that anyone can do is to keep their eyes and ears open for vulnerabilities in the software that they use. Try to patch your software as soon as you hear about a problem. That’s exactly what you’re doing by subscribing to this newsletter, taking that first step in keeping yourself informed.

Antivirus apps don’t scan funny filenames

A SecuBox Labs advisory made me aware of an easily exploitable vulnerability in several different vendors’ antivirus software.

This vulnerability is caused by the programs’ inability to scan files that contain extended ASCII characters and control characters that are lower than 0×20. A hacker can easily rename an infected filename with such a name. This would cause the antivirus programs to ignore the filename completely in any scans that are performed.

Except for two vendors in the list, I’d never even heard of these companies. The names still bear mentioning in case you’re using their products. Here’s the list (with a few additions to the SecuBox list from Donna’s SecurityFlash):

• BitDefender Antivirus
• Trustix Antivirus
• Avast! Antivirus
• Cat Quick Heal Antivirus
• Abacre Antivirus
• VisNetic Antivirus (bypass only with manual scan)
• ClamAV for Windows Antivirus
• Antiy Ghostbusters Professional Edition
• Norman Virus Control (NVC)
• Twister Anti-TrojanVirus
• SRN Micro Systems Solo Antivirus

What to do: I haven’t seen a patch for this problem from any of these vendors, so I’d recommend using other antivirus software.

Multiple vendors trip on booby-trapped archives

A completely different flaw affects even more vendors of antivirus software, including Symantec and McAfee. The full list of vulnerable programs can be found at the SecuBox advisory.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Woody's Windows

Office SP2 chokes on Windows DiskCleanup

By Woody Leonhard

Office service packs have a long, tortured history. The little letters at the end of the release numbers — SR-1a, SR-2b — tell a sad tale of botched patches and patches of patches.

Even though I survived the torturous march to Office version 4.3c, and even Word 1.01a before that, I’ve never had as much trouble installing an Office patch as I had with Office 2003 Service Pack 2, which was released on Sept. 27.

Part of the problem originates with Office itself. But most of the people who’ve had trouble installing Office 2003 Service Pack 2 ran afoul of a commonplace feature known as Windows Disk Cleanup. To understand how things got screwed up, and why Microsoft didn’t catch the problem, you need to take a look at the way Windows cleans Windows.

Understanding how the cleanup thingy works

You probably know that Windows has a built-in disk cleanup feature. I talk about it (and ways to speed it up) in my Windows books. You can see it right now: click Start, My Computer, right-click on drive C:, then choose Properties. Windows shows you a pie chart of your hard drive, and tells you how much free space is available, along with other arcana.

If you click the button marked Disk Cleanup, Windows takes a long, long time to scan your hard drive. Eventually, it comes up with a list of files that can be readily deleted from your hard drive: Downloaded Program Files (ActiveX controls, Java applets), Temporary Internet files (cached pictures), Temporary files (anything in a folder called temp), the contents of your Recycle Bin (which you should only delete after you’ve examined the files to make sure there aren’t any babies in there with the bathwater), and the like.

Windows Disk Cleanup bites Office 2003

If you have Office 2003 installed on your computer — and only if you have Office 2003 — there’s an additional entry in the Disk Cleanup list of files that Windows offers to delete. That entry’s called Office Setup Files. Disk Cleanup describes those expendable files thusly: “Installation files used by Office. If these files are removed from your computer, you may be prompted for your original installation media or source during any Reinstall, Repair, or Patch operation. It is recommended that you not remove these files unless you always have ready access to your original installation media.”

When you see that Office 2003′s expendable installation files occupy a hefty 300 MB of hard disk space, you might be tempted to delete them. Hard to justify sucking up that much hard drive space when all of the files are on the Office CD anyway. Unfortunately, if you do give them the heave-ho, you’ll clobber the Office 2003 Service Pack 2 installer. Guess Microsoft forgot to remind you, eh?

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Patch Watch

Fasten your seatbelts for the October patches

By Susan Bradley

The yellow shield is in the System Tray reminding me this is Patch Tuesday. And before I began to write this article, I installed all 9. (Yes, there are 8 patches and one malicous software removal tool.)

Woody Leonhard would probably call me foolhardy for turning on Automatic Updates. (See the comments at the end of his column, above.) But these days, it looks like there’s a bumpier ride for those who wait to patch than those who update promptly.

Please patch Charlie Gibson’s PC asap

I hope for sure that the people who handle patch management at CNN, ABC, and places like that are subscribed to Windows Secrets. Our guest writer this issue, Ryan Russell (above), says the new MS05-051 patch (KB 902400) looks like the favorite to win this month’s race between patch administrators and the bad guys.

This new hole is a serious "from remote" threat and the patch should be your top priority. If you remember back two months ago, you’ll recall that the Zotob worm came out very quickly — the first sighting was only five days after Microsoft’s patch release on Aug. 9. The Internet attack affected many large firms, notably several media outlets. I still remember listening to ABC’s Good Morning America anchor Charlie Gibson talking about how his infected workstation kept rebooting.

Microsoft’s MS05-051 bulletin installs some new Registry keys, which are listed in KB 908620. These options allow Windows 2000 admins to add a bit more defense in depth in their systems.

Note that when you install MS05-051, TIP (Transaction Internet Protocol) is disabled. If you need to re-enable it, you can follow the instructions in the KB article.

This bulletin replaces several prior security bulletins. If you historically had any issues with MS security bulletins MS03-010, MS03-026 (Blaster), MS03-039 (Son of Blaster), MS04-012, or MS05-012, keep an eye out. I’ve installed the patch here and am seeing no issues with my applications or network.

IE cume patch may hose Web apps

Our monthly Internet Explorer cumulative patch, MS05-052 (896688), lists the typical caveats about replacing prior hotfixes. This patch also adds additional defense-in-depth features that may affect Web based applications (in particular, anything you’ve custom developed.

It’s wise to test this patch extensively if you have any line-of-business applications that are Web based. KB article 870669 gives details on how to re-enable specific application functionality if you need to.

This bulletin also lists a lengthy set of "Class Identifiers in COM Objects" that really don’t need to be called up by Internet Explorer. The bulletin explains that the patch places a "killbit" to ensure that these objects cannot be invoked via the browser.

Block and defend at your border

The next bulletin that I recommend you take defensive measures on is MS05-050 (904706). This is a case where you need to do some blocking of file types in your antivirus package and at your firewall. Given that many of us are still running with Administrative (full) rights, all it would take would be one hacker to trick my end users into clicking a digital file, such as a .avi, as reported by Internet Security Systems.

Got the Exchange2K Post-SP3 update rollup?

MS security bulletin MS05-048 (907245) had me scratching my head at first. When I was comparing the patches as offered up on Microsoft Update to the bulletin numbers, I couldn’t match this one to the KB numbers in the window.

Because this bulletin affects both Windows and Exchange, there are two sets of KB numbers: 901017 for Windows and 906780 for Exchange. If you need to remove the patch, that might be a bit confusing in your Add/Remove Programs window.

For those needing to deploy this patch to Exchange 2000 boxes, be aware that you’ll need the Post-Service Pack 3 Update Rollup in place. That’s available for download at KB 870540.

What doesn’t auto-update this month

On some workstations with Automatic Updates enabled, there were no prompts for Office 2003 SP2 when the yellow shield indicated there was an Outlook spam-filter update. I ended up just going to Microsoft Update and manually pulling the service pack down. I’m still not sure if the issue is related to a version of Office Web Components, as discussed on the Web, or just a fluke.

Sometimes it pays to be expecting patches and to manually click Microsoft Update to check. For the record, on one XP SP2 machine, this week I’ve installed 8 security patches and one Malicious Software Removal Tool. Last week I installed Office 2003 Service Pack 2 and the new Outlook 2003 junk e-mail filter update (KB 904631). Remember, you only get the new antiphishing features in Outlook 2003 if you install both Office 2003 Service Pack 2 and the junk-mail filter.

How you can fast-track your patches

I still don’t turn on Automatic Updates on my servers, but I do on my workstations. I want them to be fast-tracked with patches and I have savvy end users operating them (hopefully including me, for one).

I went back and reviewed all the patches that caused me grief in my office over the last year. I determined that I wasn’t negatively affected by patch issues to any great degree. In fact, I realized that I would be taking more risk by not quickly patching and waiting to see if others had issues.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Wacky Web Week

Highlander in 30 sec., re-enacted by bunnies

Jennifer Shiman and her animated flop-ears have done it again. Her new capsule motion picture shrinks the entire Highlander movie into just half a minute, complete with sound track (not just an audiotape on fast forward, either).

Previous take-offs have included stopwatch versions of The Exorcist, The Shining, and the War of the Worlds. But start with her rendition of Highlander, which is coarsely hilarious as long as you don’t expect it to make much sense (rather like the actual film). Highlander animation page
...

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech