Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Install MS's out-of-cycle patches for IE, apps

Windows Secrets Newsletter • Issue 208 • 2009-07-30 • Circulation: over 400,000

Table of contents 
  • Bonus: Last chance to get money-saving tips for free
  • Introduction: Special report: anti-malware killbits are broken
  • Top Story: Install MS’s out-of-cycle patches for IE, apps
 
Bonus

Last chance to get money-saving tips for free

We can offer our newest bonus for only a few more days this week. All our subscribers are eligible for a free download of Green Home Computing for Dummies by Katherine Murray and our very own contributing editor Woody Leonhard. The book is full of tips on how to reduce your PC’s power cost, optimize your system’s performance for better energy efficiency, and more! The printed volume isn’t in stores yet, but all subscribers can receive our exclusive excerpt of two full chapters now through August 5. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

 
Introduction

Special report: anti-malware killbits are broken

Brian livingston By Brian Livingston

When Microsoft makes a mistake, it’s usually a doozy.

It’s been disclosed this week that the “killbits” set by Microsoft to protect Internet Explorer against malware can be circumvented by bad guys — but we’ll tell you today about emergency patches that can defend you.

We don’t ordinarily publish new Windows Secrets content on the 5th Thursday of the month. I mean, come on, our writers deserve a break once in a while. To prove there’s no rest for the wicked, Microsoft’s release of two urgent patches this week forced us back to work. The Redmond company’s out-of-cycle fixes are actually patching other patches that were released on Patch Tuesday just 16 days ago.

Like all our news updates, today’s content includes only a single article — this time, it’s by Susan Bradley, our esteemed Patch Watch columnist — and there’s no difference between the free and paid content. All of our readers receive the same information.

Note: The next regular edition of Windows Secrets will be brought to you on Aug. 6.

Susan’s detailed reporting on what to watch out for in Microsoft patches usually appears in the paid version of our newsletter. If you’re not receiving her findings — and those of Fred Langa, Woody Leonhard, Ian “Gizmo” Richards, and our other contributors — you can get the word every week with no fixed fee. We accept any financial contribution of any amount, and you’ll receive our paid content for a full year. For more info, free subscribers should visit our upgrade page.

Thanks for your support of our research into Microsoft Windows.

We’re pulling in young energy to dig up secrets

I first learned programming some 40 years ago, and Fred, Woody, and Gizmo have had to start lying about their ages. So you might think we have nothing but “geezer geeks” here.

I’m pleased to say that we’re booting up new geeks who can keep the old guys on their toes.

Stephanie small Stephanie Small, photo at left, joins us in the position of research director. As the person who evaluates the torrent of tips that stream in every day from our readers, she’s critical to helping us develop new stories. (In fact, she’s rather critical in general, but I kind of like that.)

Before she came to Windows Secrets, Stephanie was a Web intern with the monthly Seattle Metropolitan magazine, where she generated scores of capsule reviews for that publication’s guide to city life.

Prior to the Met, Stephanie was a reporter for the University of Washington Daily for almost three years. She graduated from the university with a B.A. in communications/journalism in June 2009.

Stephanie has stepped into the shoes of Katy Abby, our long-time research director, who recently moved to Portland, Ore., with her husband, Jon. You used to see Katy’s byline on our Wacky Web Week column, but you’ll be seeing Steph’s name there from now on.

Allison espiritu Allison Espiritu (pronounced “ess PEER it too”) is our new research analyst, working closely with Stephanie on a part-time basis. The rest of the week, when she’s not helping us uncover fresh secrets of Windows, Allison is a reporter for the Ballard News-Tribune, a weekly Seattle neighborhood tabloid.

Before her work with WS and the Trib, Allison was a news assistant for the metro section of the Seattle Times, a daily newspaper.

Allison graduated from the University of Washington with a B.A. in journalism in 2007.

Damian wadley Damian Wadley is a Web developer who’s worked with us intermittently this summer and last summer. The other three quarters of the year, he’s a computer science undergraduate at Washington State University in Pullman, Wash.

I’m pleased to report that Damian has signed up to come back to work at Windows Secrets full-time when he receives his degree in May 2010. His accomplishments for us to date include recoding our Web site to make it more reliable and easier to maintain — a code base that will go live in the next week or two.

He’s so good that most visitors won’t notice any difference in our site — and that’s a big compliment to his work. More visible design changes we’re planning will be introduced over the next several months, so stay tuned.

These individuals represent the future of journalism on the Web. I assure you that they’ll be digging up secrets to help Internet users long after I’ve enjoyed my final Blue Screen of Death.

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Install MS’s out-of-cycle patches for IE, apps

Susan bradley By Susan Bradley

Two emergency updates released by Microsoft this week correct flaws in Internet Explorer and potentially dozens of third-party programs.

One of the patches is intended primarily for use by application developers, but how far the threat to apps extends — and how many end users will be affected — is not yet clear.

MS09-034 (972260)
Apply this Internet Explorer patch today

This week, Microsoft released security bulletin MS09-034 without waiting for the next scheduled Patch Tuesday on Aug. 11. According to the Redmond company, this patch is rated “Critical” for IE 6/7/8 on XP and IE 7/8 on Vista. (While the Windows 7 release to manufacturing (RTM) version is unaffected by the problem, the Windows 7 release candidate does requiring patching.)

You may already have applied “killbits” from Microsoft security bulletin MS09-032, which was released on this month’s regular Patch Tuesday, July 14. In theory, these killbits should protect you against certain ActiveX exploits already circulating on the Internet.

Microsoft’s Security Research & Defense blog recommends that you retain the killbits, if you did install them, and also apply this week’s update. The group says this will provide an added layer of “defense in depth” patches.

On the other hand, if you haven’t yet applied the MS09-032 update, installing this week’s out-of-cycle patch means you don’t have to install the previous one.

Why did Microsoft rush out an update for a problem that most admins have already patched? The reason was revealed yesterday afternoon in Las Vegas. A presentation at the Black Hat Security Conference by security researchers Ryan Smith, Mark Dowd, and David Dewey showed that the previous killbit fix could be evaded by malware.

In their blog post announcing the talk, the researchers described how they had found a vulnerability in Microsoft’s Visual Studio Active Template Library (ATL), which is used by developers to write Windows programs. In a video posted on the researchers’ site, they demonstrate how an exploit can take control of a PC, bypassing the killbit.

When Microsoft stated that MS09-032 protected you from known attacks, that’s technically true. New attacks, however, are likely to show up very soon, due to the release of the Las Vegas presentation. It would be wise for you to install the more-recent MS09-034 patch right away.

MS09-035 (969706)
Apps developed using ATL may be insecure

Hearing of a new patch for Internet Explorer, most of us would sigh, launch Firefox, and simply go on with our lives, thinking we are unaffected. The problem announced this week, however, involves more than just IE.

The vulnerable ActiveX control present in Visual Studio’s Active Template Library (ATL) is used in many third-party applications. So security bulletin MS09-035 may be the more important of this week’s two out-of-cycle updates.

For instance, Cisco Systems has released an alert saying the company’s Unity products are affected by the vulnerability. Other companies’ products — which you might never suspect of being the weak point in a malware attack — could easily be at risk.

Verizon Business is providing a service that checks a system for the presence of this control. As explained in a Verizon blog, the use of the file atl.dll in an application indicates that an app is susceptible.

In my research, I found on one fully patched Vista machine an old tax program that includes atl.dll. I can’t remove this file, because the old software is still needed.

To be sure, bad guys are less likely to target an obscure software program than vulnerabilities in IE. Even so, installing MS09-035 gives you additional protection, not just for Microsoft’s browser but also for some apps you may have forgotten you ever installed.

My standard admonition is more important than ever: use a third-party patching tool such as the Shavlik Patch Google Gadget or Secunia’s Online Software Inspector or Personal Software Inspector. Review your system at least monthly, after you’ve installed Microsoft’s latest patches. These tools test a wide range of software — including many browsers other than IE — and notify you when security patches are available.

See my May 28 Top Story for more on Shavlik, Secunia, and other third-party software-update services.

I’ve only heard sporadic reports of problems a few people have had with the out-of-cycle patches. These issues are described in a Microsoft forum post about a Visual Studio compiling error, and an MS MVP blog item about the Visual Studio patch being offered repeatedly. I’ll provide information in my next Windows Secrets column on any other glitches that may affect these patches.

Given the strong recommendations I’ve read by members of the security community, I believe you should install this week’s updates immediately. You can uninstall them if they act up.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb