It hasn’t been Microsoft’s best month for releasing patches.
After it was widely reported that installing a recent security patch can slow Windows XP to a crawl, the Redmond company had to admit the problem and scale back its recommendation that all XP users apply the update.
Now there are reports that Microsoft’s two latest patches, which correct security problems in Internet Explorer 5 and 6 and Outlook Express 6, also cause difficulties of their own.
- MS03-013 for Windows NT 4, 2000, and XP
This patch, first released on April 16, prevents someone from logging on from the keyboard or a terminal session and running code to gain administrator privileges. Microsoft has downgraded this threat to “important” rather than “critical.”
Microsoft confirmed on April 25 in its Knowledge Base article 819634 that installing the patch on XP Service Pack 1 can seriously slow a PC, especially if antivirus programs are configured to scan files as they are opened. Testers report delays of more than 10 seconds in launching apps in this situation. The company currently recommends that you either uninstall the patch or disable real-time antivirus scanning, using periodic disk scans instead.
At this writing, the company says an improved patch will be released at an unknown future date. But other sources say a working patch is already available, although you have to make a special request for it through Microsoft’s Product Support Services.
A word of warning, however, has been sounded by BugTraq’s Russ Cooper. He advises users not to install MS03-013 on Windows 2000 until Microsoft explains the purpose of 10 modified files. One is Ntdll.dll, which caused problems as part of the MS03-007 patch. More info
- MS03-014 for Internet Explorer 5 and 6 and Outlook Express 5.5 and 6
This update, issued on April 23, corrects a security problem in the way IE and OE handle files stored on the Web. If a user visits a malicious Web page, the apps can be made to render a plain-text file as though it were HTML. If the text file contains an executable script, the script could damage the PC – because a text file is a “safe file type” that runs with Local Computer Zone privileges. Microsoft rates this flaw “critical.”
MS03-014 is being described as a patch for Outlook Express 5.5 and 6. But it’s important even for those who don’t use OE but use Internet Explorer 5 and 6. That’s because IE uses the underlying code of OE to render text files as if they were HTML files. Installing the patch prevents IE and OE from converting any text files other than .mht or .mhtml file types into the special form that renders as HTML. More info
The problem? In an article that’s not yet posted on the Web, issue 3.15 of the Woody’s Windows XP newsletter reports that installing the MS03-014 patch completely disables IE and OE’s ability to access the Internet if the operating system is XP and Norton Internet Security 2002 is installed. This is true whether or not NIS is disabled before running the update. The e-zine also says the patch prevents OE 6 from remembering the most-recent location where an attachment was saved.
- MS03-015 for Internet Explorer 5 and 6
This patch, released along with MS03-014 on April 23, is a “cumulative update” that combines all known fixes for Internet Explorer 5.01, 5.5, and 6. The update also corrects four new vulnerabilities, three of which are threats that Redmond rates as “critical.”
The most serious vulnerability allows a Web site to run malicious code on a user’s PC. The rogue program would enjoy all the same privileges as the locally logged-in user. More info
Woody’s notes that Internet access on XP is disabled if MS03-15 is installed while Norton Internet Security 2002 is running. But this problem can be avoided by simply turning off virus checking before installing the patch (a good step when installing almost any app).
Amid this hue and cry, some lowlife is sending out e-mail messages that appear to be from Microsoft, announcing a very desirable “cumulative patch.” I don’t know whether these bogus messages are in response to the XP/IE/OE mess, but the messages carry an attachment called Q178830.exe, which appears to be a virus (although it’s not yet reported in major antivirus databases).
I’m reproducing the fake message below, not because you should follow its advice, but to show how chillingly similar to a real Microsoft message it seems:
- From: Microsoft Internet Technical Services [mailto:sdjsibp887470@WRrTUXG.net]
Sent: Monday, May 05, 2003 10:01 AM
To: MS Customer
this is the latest version of security update, the “May 2003, Cumulative Patch” update which eliminates all known security vulnerabilities affecting Internet Explorer, Outlook and Outlook Express as well as five newly discovered vulnerabilities. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run executable on your system. This update includes the functionality of all previously released patches.
|System requirements||Win 9x/Me/2000/NT/XP|
|This update applies to|| Microsoft Internet Explorer, version 4.01 and later|
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
|Recommendation||Customers should install the patch at the earliest opportunity.|
|How to install||Run attached file. Click Yes on displayed dialog box.|
|How to use||You don’t need to do anything after installing this item.|
Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact us.
Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies.
Thank you for using Microsoft products.
With friendly greetings,
Microsoft Internet Technical Services
©2003 Microsoft Corporation. All rights reserved. The names of the actual companies and products mentioned herein may be the trademarks of their respective owners. Important: the above is not a genuine Microsoft message and should not be acted upon. Microsoft is emphatic that it never sends out patches as e-mail attachments. Unfortunately, the bogus message is such a good imitation (except for the weird “mailto” address in the From line) that many end users would run the attached executable file without a second thought.
To send me more information about any of this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.
I’m sending reader David S. Calef a certificate good for a book, CD, or DVD of his choice for his help on this subject.