TOP STORY
Expect attacks via latest Windows security hole
By Susan Bradley
Following Microsoft's release last Friday of a critical, out-of-cycle patch, only sporadic reports of attacks based on this weakness have been received but that may not last.
Apply the patch referred to in MS08-067 right away, because Trojan horses that take advantage of this security breach are sure to hit us soon.
MS08-067 (958644)
Microsoft monitors remote-access exploits
As I reported in last Friday's special bulletin, everyone who uses Windows XP, Vista, Server 2003 or later should download and install MS08-067 (patch 958644), which is a critical corrective for the OS.
The good news is that, so far, Window Secrets readers report few problems installing the patch. The small number of glitches they have encountered can be cleared up by uninstalling and then reinstalling the update.
In the meantime, the Microsoft Security Response Center blog reports that the company has detected malware authors discussing online how to take advantage of this vulnerability. However, at this writing, Microsoft says it hasn't discovered any new threats that use this exploit to drop a Trojan on targeted systems.
There may not yet be any fast-moving worm built specifically to exploit this weakness. But the vulnerability is similar to the hole that was used by the MSBlaster worm, which surfaced on the Internet in 2003. So don't let down your guard. Patch your PC if you haven't already done so, because this exploit is sure to be the focus of malware authors before long.
Since it's only a matter of time until such attacks become widespread, I urge you to reach out to other Windows users you know to ensure that they're protected from this vulnerability once you've patched your own systems, that is.
Reboot to complete application of the fix
One question that often comes up when patching Windows is whether you need to reboot the system to ensure that it's fully patched. Some Microsoft patches are able to temporarily suspend a system, add the patch, and then restart only the service or services that are involved.
The file that's being patched by this out-of-cycle update, however netapi32.dll is used by so many different Windows functions that it's impossible to apply the patch without rebooting your machine.
I installed the patch on a PC that's running Small Business Server 2003 to determine the number of services that need to be shut off and restarted to ensure that the system is truly protected. This post on my blog includes a screen shot listing the many different processes that use the file.
Always reboot before installing patches, so you know in advance whether your system is having any boot-up problems you should resolve. Equally important and I cannot stress this enough whenever you install a patch, if the system indicates afterward that you need to reboot it, do so right away. If you wait, you leave your system vulnerable. Also, whenever two versions of the same file are stored in your PC's memory, they're likely to conflict, which makes the machine unstable.
Responses to reader questions about the patch
Over the past week, I've fielded some interesting questions from Windows Secrets readers regarding this rare, out-of-cycle patch from Microsoft. Here are two of the most common queries:
"If I'm running Microsoft software on a Mac, am I vulnerable?"
No. The vulnerability in question affects only Windows, not Microsoft Office or other applications running on a Mac or other non-Windows system. If you use a Mac, you don't have to install this patch.
"Are Windows NT and Windows 98 machines susceptible to the security hole?"
Windows NT, 95, 98, and Me are supported by Microsoft only for customers who pay a fee. As a result, Microsoft releases patches for these operating systems only to people who have Premier support contracts with the company.
However, as was reported on the Patch Management blog by Eric Schultze of patch-management vendor Shavlik.com, Microsoft has provided a fix for this problem to customers who pay for NT patches.
I'm still investigating whether Windows 98 is vulnerable to this problem. Until I determine this, I urge users of Windows versions prior to XP to have a full complement of up-to-date security software on their machines, including both an antivirus app and a software firewall.
Vista gets two expected patches from MS
Vista machines were offered two new, out-of-cycle patches beginning on Oct. 28, two weeks after this month's Patch Tuesday.
One of the patches was MS08-062 (953155). This upgrade is for the Windows Internet Printing Service and only affects you if you're using Vista as a Web server. Microsoft stated on Oct. 14 that this fix was being offered for Windows Server as part of its regular Patch Tuesday release, but that a version for Vista would be coming out later.
Vista is also now receiving its monthly dose of compatibility upgrades in patch 957200. However, at this writing, the Microsoft Knowledge Base article that would ordinarily detail what's in the patch is missing in action.
If you'd like to read up before deploying the patch, as I plan to do, feel free to look for KB article 957200 in the next few days. (It'll probably be posted on this page at Microsoft.com.) I don't believe you need to install this patch until Microsoft explains what it does.
Virtual computers need to be patched with TLC
In a recent blog post, Microsoft employee Tony Soper provides specific instructions for applying this patch on servers that use the company's HyperV virtualization platform. Soper indicates that the virtualized server platform's default setting doesn't even check for patches, let alone install them.
Follow these steps to patch a virtualized server:
• Step 1. Open a command line. Type hvconfig and press Enter.
• Step 2. Type 6 and press Enter to search for updates.
• Step 3. Type Y and press Enter to download and install all updates.
After a few minutes, you'll be prompted to restart the system. Click Yes to initiate a restart.
Don't forget to patch any virtualized operating system that you may have as well. Personally, I patched several test operating systems last Friday that I have running in VMware to ensure that they're also protected.
AVG antivirus is causing patching headaches
As if we didn't have enough patching emergencies to deal with this week, a recent update of AVG's antivirus software knocked out some people's Internet connection. AVG's support page indicates that after upgrading to AVG version 8.0.196, your network link may fail.
If rebooting your PC doesn't fix the problem, follow the instructions on AVG's support page to download the fixfiles.zip file to your computer. Double-click the .zip file to open it, and then double-click fixfiles.exe in the resulting folder to run the utility.
If the glitch persists, the company recommends that you run a repair installation of your AVG app. If reinstalling your antivirus software doesn't get you back online, AVG advises that you contact the company's support desk for further instructions.
I became aware of the AVG update glitch when the program began to interfere with the collection and distribution of e-mail on my Small Business Server 2003 test system.
---
Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She's also a partner in a California CPA firm. Her regular column, Patch Watch, appears twice a month in the paid content of Windows Secrets.
