By Susan Bradley
Last Friday, Microsoft gave me the word that I could take the day off. "No patches for Tuesday!", came the word from the North. But before we all head to the beaches or ski slopes or your favorite watering holes, does this truly mean we are absolutely without issues and not vulnerable?
There are times that I feel a bit like "Chicken Little" running around saying that the sky is falling. But, in reality, every time we use our computers, we’re accepting risk out here. So let’s see where we still have some issues, shall we?
Losing share but not gaining enough security
While those of us in the admin world are likely to be just finishing up the 12 or so patches from last month’s rollout, the dearth of patches this month does not mean there are no security issues out there. Internet Explorer still tops Secunia’s list with the most unpatched vulnerabilities of any browser and, perhaps as a result, the once-universal app has dropped below 90% in market share.
Windows Update still has a few goodies this month
Folks who are still on the Windows 98, 98SE, and Me platforms finally got patches for bulletin MS05-002 (which was released in January for newer OSes and involves cursors and icons) and MS05-015 (which came out in February and involves hyperlinks).
Those of us who are on Windows 2000, XP, and 2003 also did receive a new Malicious Software Removal Tool for March. This will find a few malware items. If it reports that there’s nothing on your machine, you’ll wonder what the fuss is about.
Firefox responds to the IDN issue
Firefox recently came out with an upgrade from 1.0 to 1.0.1, a new version of its alternative browser that incorporates many security fixes. This includes one for the IDN issue, which allowed international domain names to be spoofed in the browser’s address bar.
If you followed Brian Livingstons’ advice in the Mar. 3 newsletter update to ensure Firefox’s automatic updates are enabled, you should see an icon in the corner indicating that updates are available to be installed. If not, click on Tools, Options, Advanced, then scroll down to Software Updates and click the "check now" button.
After you finish the upgrade, IDN support is re-enabled. With verson 1.0.1 you are, however, fairly well protected from phishing attacks by sites using IDN. Sites that use non-ASCII characters in their domain names are displayed in Firefox 1.0.1′s address bar in "punycode," which is a pure-ASCII equivalent. All such domain names begin with "xn--" in their ASCII form, making it impossible for these sites to form names that look like legitimate banking sites.
What to do: Upgrade Firefox 1.0 to 1.0.1, using the steps Brian recommends in his top story, above.
You may have implemented the network.enableIDN workaround we recommended in the Feb. 10 newsletter, or the compreg.dat workaround in the Feb. 24 newsletter. If so, and upgrading to Firefox 1.0.1 didn’t reset these to their default values, you should undo those changes yourself. International domain names are harmless in Firefox 1.0.1, since they can no longer display false information in the address bar.
Netscape, new kid or blast from the past?
The "new kid" on the browser market is an old, familiar name. Netscape has released a beta of its browser, but with a twist. Under the hood of version 8.0 is both the Internet Explorer page-rendering software and Firefox’s platform.
The bad news is that, at the present time, the Firefox version used by Netscape 8.0 is the unpatched Firefox 1.0. Therefore, if you want to choose the Web browser with the fewest public, unpatched vulnerabilities, Firefox is still your only choice. Of all the the popular Windows browsers, Firefox has the fewest unpatched issues, according to figures compiled by Secunia.
I would still strongly recommend that you maintain your consciousness of "safe surfing" for the Web sites you visit. As my mother always told me, if it sounds too good to be true, it probably is.
On April 12, you’ll wake up with XP SP2, right?
The tech news boards have been saying that Apr. 12 is the day those of you on XP SP1 will get handed XP SP2 via download, whether you like it or not. The reality is a bit different.
The confusion relates to the "kill bit" that Microsoft allowed administrators to put into their systems. This bit enabled admins to delay the deployment of XP SP2 via automatic updates. This is what is "expiring" on April 12th.
If you don’t have Automatic Updates turned on in the first place, XP SP2 will not come down on that day. Furthermore, downloading does not mean it’s installed. You still have to click on an end user license agreement (EULA) before SP2 will install.
The process of installing XP SP2 must ensure that the machine is free of malware. I’ll discuss this process in the next edition of Patch Watch on Mar. 24.
Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.