Tag Archives | Microsoft

Microsoft posts work-around for IE flaw. Pushes patch that turns off insecure ActiveX component, while continuing to investigate a more comprehensive fix. [CNET News.com]

Successfully installed Release Candidate 2 of WIndows XP Service Pack 2
on a test machine last night. The morning, I was greeted by a screen
asking me to turn on Automatic Updates, with green and red shields
lifted from McAfee or similar security products. This option not only
downloads but installs patchs as Microsoft distributes them. While this
might be an appropriate setting for a non-professional, it’s important
to me to evaluate the possible dangers to installing, say, an hour
before a major presentation (ask me about Visual Studio Service Pack 5
and my nine GPFs during a DevCon sesssion sometime). Also, you can find
very few patches available from Microsoft that aren’t version 1.0a,
revised or reissued. They just don’t get them right the first time. I’d
prefer to evaluate the danger of being exposed to a flaw, expecially in
products I don’t use, like Outlook Express or Media Player, in
comparison to the possibility of destabilizing a production machine.
So, I passed on the Automatic Updates.

Next stop (“Where do you want to go today?”),
Windows Update. Interestingly, Windows Update came up with a “We’re
Sorry” message and a bar across the top of the page saying “This site
might require the following ActiveX control: ‘Windows Update’ from
‘Microsoft Windows Publisher’. Click here to install….” I’m not sure
how that really differs from the older means of confirming
installation, except I don’t see the “Always trust content from
Microsoft” joke checkbox. Clicking on the bar produces a pop-up menu
with three options: “Install ActiveX Control…:, “What’s the Risk?”
and “Information Bar Help” — the last two options both pop yet another
window with the Microsoft Internet Explorer HTML Help. “What’s the
Risk?” doesn’t explain what the risk is, it explains the variety of
messages the bar may display. It appears that ActiveX controls without
valid digital signatures are blocked. The page does on to ask:
“Do you trust the Web site providing the control?
Don’t install an ActiveX control unless you absolutely trust the Web
site that is giving you the control. Click on Related Topics for
information about how to decide if you can trust a Web site.” OK, I’ll
skip the diatribe on whether I should “absolutely trust” Microsoft and
go on to try to install the control.
Selecting “Install ActiveX Control…” brings up yet another dialog,
titled, “Internet Explorer – Security Warning” and asks “Do you want to
install this software? ” with a “More options” button, “Install,”
“Don’t Install” and another pane across the bottom “This type of file
can harm your computer. Only install software from publishers you
trust.” and a link “How can I decide what software to install?” that
again goes the help file, on a different topic. The “More options”
button expands the form, revealing option buttons to “Always install
software from ‘Microsoft Window Publisher’.” “Never install…” and
“Ask me every time” with the last option selected. Seems like “Always
trust Microsoft” lives on.

Finally, the “Install” button really does install the control. However,
the page doesn’t refresh, and I’m left staring at a message that says
“Windows Update has encountered an error and cannot display the
requested page. Try refreshing the page, clearning yor Internet
Explorer Temporary Internet Files, closing and restarting Internet
Explorer, or trying Windows Update again later.” and then it goes on
with “Self-help options” and “assisted support options.” Jeeez.

Refresh didn’t work. I get the “Checking for Windows Update and then a
message “Get the latest Windows Update software” followed by “We’ve
made improvements to our website. To download the new version of the
software and beding using WIndows Update, please click Install Now.” I
thought I already did that. Then, I get the “Sorry” message again.
Third time through (because I’m noting all of the message here) and it
starts installing successfully. Go figure.

Now we get another page “Welcome” says the message “update your computer” and presents two options:
“Express Install (Recommended): High Priority Updates for Your Computer
… Choose this for the fastest updating. Quickly scan for, download
and install only the critical and security updates your computer needs”
or…
“Custom Install: High Priority and Optiona Updates for Your Computer…
Chose this to scan for optional, critical and securit updates your
computer needs, choose from all the updates on the site and review
updates before downloading.”

I choose the latter, of course.

What do you know! No “high priority updates” to install. Good news at last.

Overall, I thought the “eXPerience” was painful, drawn out, and not
terribly helpful. The issues could be explained without several trips
to the Help file. People who are just trying to install some new
internet toy are either going to gullibly ignore all the warnings you
put up, or they are going to pass on the process that is too
cumbersome.

However, the machine is finally patched up to date and I can begin testing. More news as it happens…

Taking my own advice, I installed XP on a test machine, so that I could test Windows XP Service Pack Two Release Candidate Two.

Not a screamer, an PII-266 HP Omnibook that was Laura’s previous
laptop. The CD turned out to be flaky, so ended up XCOPY32’ing the CD
to disk (it had a Win98SE install on it) and installing from there,
successfully albeit slowly. Where do you want to go today?
Windows Update, of course. A clean install of XP has forty-nine, yes,
49, “Critical Updates and Service Packs” to download. SP1’s a mere 54.5
Mb, so I am glad Comcast’s download cap has been lifted to 3
Mbps. That’s plugging away now, since it must be installed
separately from everything else. Then I can go back and review the
other “Critical Updates” and see what else I’ll need to do.

On the bright side, Microsoft is updating their product — remember
Ashton-Tate that left an entire community hanging for a year and a half
with a dBASE IV that didn’t work before shipping 1.1. On the other
hand, it looks like Microsoft shipped swiss cheese. I read recently,
though I can’t recall where, that someone tried doing this install with
his machine jacked directly into the Internet, but before he could
install all the patches, the machine was compromised. I can believe
that. This one’s been installing for six hours…

UPDATE: After the WIndows XP SP1, install, Windows Update now
claims there are only 18 “Critical Updates and Service Packs” left to
go. I’m going to go straight for XP SP2 RC2 (try saying that three
times fast) and see how many are left after that.

More news as it happens…

Microsoft to Offer Streamlined Products Aimed at Programmers.
Microsoft is making a bid to win over new developers with a
stripped-down line of products including a free database and
inexpensive developer tools. By By STEVE LOHR. [The New York Times > Technology]

Batten down the hatches, those of you, like me, who support clients out
in the field. Windows Update could be bringing you some surprises, in
the form of tech support headaches. If you haven’t beta tested it
already, you might want to get ahead of your customers, who’ll be
beta-testing it soon…

Windows XP update could cause support chaos.
The major changes to Windows XP brought by Service Pack 2 (SP2) are
bound to cause support headaches. Analysts, users, PC makers and
Microsoft Corp. all expect a spike in help desk calls. [InfoWorld: Top News]

Tomalak’s Realm links to InfoWorld: Experts agree on method, not scope of IIS attacks.
“We don’t have significant reports of Web sites compromised or of
people sending us examples of the new Trojans,” he said. “I’d rate this
a low risk if you’re patched and a medium risk if you’re not.” Still,
other security companies reported widespread infections.

Three exploits took place at once: the IIS 5.0 servers had an SSL flaw
(patched in MS04-011) that allowed them to be infected. The Windows PCs
had two flaws: an MHTML handling problem in Outlook Express and IE
(also patched, in MS04-013) and a cross-site scripting exploit
identified last week that remains unpatched.

If you must use IE (for example, I can’t get to the Microsoft KnowledgeBase without it), make sure to do the following:

1. Set your IE security level to high (Tools, Options, Security:
   Select ‘High’ from the drop-down and then ‘Reset’ – you’ll want to note
   your previous settings and record them somewhere in case you’re having
   problems browsing), and
2. Make sure your virus scanners up to date. Even though I had
   upgraded to NAV 2004 on Friday and updated to the most recent files
   then, I download two updates this morning (Sunday) with 1.2Mb+ of new
   stuff in them.

Microsoft Watch from Mary Jo Foley reports Another Good Reason to Download XP SP2 RC2.
“Microsoft says folks running the recently delivered release candidate
2 of Windows XP Service Pack 2 aren’t vulnerable to the new “Download
Ject” attack that’s romping across the Web.” 

So, instead of getting a patch for IE, you can download a *beta* version of a service pack Woody Leonhard calls a “seriously risky patch job” or you can choose to use another browser that’s not affected. Hmmm…

InfoWorld: Top News reports: “Web attack aims to steal surfers’ financial details.
A new Internet attack discovered late Thursday was designed by an
infamous group of Russian virus writers to steal credit card and other
financial information from Web surfers and send it to Web sites where
it can be retrieved by hackers, security experts warned Friday.” The
key paragraphs:

Make sure you’ve patched IIS with the
Sasser patches. Raise the shields high on IE, or better yet, get a
secure browser. According the article, some *major* sites have been
hacked, so watch those credit card bills!

Update: According to this article on Netcraft, the trojan can be installed silently on fully-patched versions of Internet Explorer. Until the extent of the exploit is known, you may want to hold off surfing with IE.

Microsoft patents a method to transmit data and power over the human body.
Today Microsoft was granted patent 6,754,472 for “Method and apparatus
for transmitting power and data using the human body.”  [Ars Technica]

Open Source Paradigm Shift.
“This article is based on a talk that I first gave at Warburg-Pincus’
annual technology conference in May of 2003. Since then, I have
delivered versions of the talk more than twenty times, at locations
ranging from the O’Reilly Open Source Convention, the UK Unix User’s
Group, Microsoft Research in the UK, IBM Hursley, British Telecom, Red
Hat’s internal “all-hands” meeting, and BEA’s eWorld conference. I
finally wrote it down as an article for an upcoming book on open
source,”Perspectives on Free and Open Source Software,” edited by J.
Feller, B. Fitzgerald, S. Hissam, and K. R. Lakhani and to be published
by MIT Press in 2005.” [Tim O’Reilly, O’Reilly Network]

Interesting reading.