Spyware Sucks

More problems for MS07-017

LAN-Fax driver crashes, reboots or "Blue Screens" my computer - I do *not* recommend that you remove the ANI fix unless the LAN-Fax software is a critical line of business application.  New LAN-Fax drivers will be released and available for download on April 10th, 2007.

CrystalXP - I recommend you uninstall CrystalXP and keep the security patch in place unless CrystalXP is a mission critical application.  There is no information available about when CrystalXP will be updated.

Editorial: I've been reading through the fallout of this release on various forums with some people stridently complaining because MS released this patch when MS knew there were going to be problems.  Well, dear reader, let us remember that MS also knew that the security vulnerability being patched by MS07-017 was being actively exploited, and some were calling for Microsoft's blood because Microsoft, in their opinion, did not release the patch quick enough.  By the time the patch was released hundreds of Web sites had been hacked for the express purpose of using the exploit, and spam-blasts were occurring that also tried to take advantage of the vulnerability.

So, what is it that we want of Microsoft? Seriously.  It is simply not possible for MS to test their patches against the millions of different software applications out there in the world.  I'd never heard of CrystalXP before today, just like I'd never heard of ElsterFormular, TUGZip and CD-Tag or LAN-Fax.  On the other hand, I *had* heard of Realtec, but Microsoft had the fix all ready to go.

Now, as for CrystalXP, it seems that that program replaces the system file shell32.dll with its own version. There is no way MS can anticipate how an obscure third party application is going to hack an MS system file.  For CrystalXP to claim that "microsoft installed a buged updated" [sic] is disingenuous.  It would be more correct to say that "CrystalXP's version of shell32.dll is not compatible with the security fix".  And as for their advising users to remove the patch, isn't making sure users are protected from an actively exploited security vulnerabilities more important?  It is wrong, wrong, wrong of CrystalXP to simply tell users to uninstall the patch, and to hope that Tuesday's security update will fix their problems for them.   Follow Ricoh's and Realtec's lead and fix your software so that your users can stay patched.

In an ideal world the hotfix that resolves the errors with the Realtec HD Audio Control Panel and other software would have been rolled out at the same time as MS07-017, and not offered as a separate download, but that is not what happened.  I understand the inner workings of MS update releases - the different branches and testing standards that apply to different types of updates - and the dilemmas that MS face when deciding how and when to release patches.  Should MS have deferred releasing the security patch to wait for the hotfix that had hit the standard required of a limited release hotfix with all of its additional provisos and disclaimers and warnings, but was not yet ready for unfettered distribution?  Considering the active exploiting of the vulnerability, I have to say that they did the right thing by not deferring the security update.

Ok, so that leaves us with the "MS should have warned us that there were problems with Realtec".  Putting aside the fact that this information was in the documentation (yes, I know, nobody reads that stuff), the argument can be made that Microsoft probably should have popped up an alert at the time the security update was being installed to warn anybody with the affected Realtec software installed that they needed a hotfix.  But what if tailoring the detection logic would have delayed release of the patch?  MS were already being criticised for waiting as long as they had.

We find another dilemma once we go down the "warn people if there is a conflict" path.  There are often issues with a security update that are discussed in the documentation so how do we decide what requires a special alert and what doesn't?  Do we only alert if there is a hotfix available?  If an estimated X number of PCs are affected?  And what happens if we are installing several security updates, which would require several alerts about conflicts that could confuse and frighten the user? What if those alerts frighten the user so much they simply don't install the security updates at all?  That would be a bad thing.  And what happens when somebody complains because they were warned about a problem with program x, but not warned about a problem with program y? 

Historically, presenting users with a series of warnings does not work well.  They don't read them properly, or they don't read them at all and just click through.  Here are two real world cases that illustrate this point.  I generally lock a server when I am not working on it using the Windows L key combination.  One day I was going to be away for a couple of days so I handed over certain responsibilties to a different staff member. That staff member needed to log on to the server.  The staffer hits ctrl alt del and is presented with the traditional "somebody else is logged in, are you sure you want to do this, they may lose their work" dialogue box.  But, this senior staff member did not *read* the dialogue box and instead assumed that the wrong password had been entered.  The staffer acknowleges the dialogue and tries again.... and again... and again... and again... and again... and again... before finally coming to me and saying there is something wrong with the password.  Not once did the staffer pause long enough to *read* what the dialogue box was saying.  So, because this staffer has demonstrated on several occasions a disinclination to read dialogue boxes I have had to adjust my behaviour to work around that person's deficiency.  If I am going to be away, I log out of the server instead of locking it (a pity, because Windows L is so much more convenient).

Then there was another incident.  A user was presented with a dialogue box warning that a programme would not work unless the system's short date format was set to dd/MM/yyyy.  The dialogue box is quite clear and says "this is the problem, and this is the fix".  Yet once again, the user did not *read* the dialogue box, nor did the person called in to assist the user.  This resulted in inappropriate steps being taken to avoid the error.

So, what's the end result of all of these ponderings?

• delaying a security patch that is important enough to justify an out of band release until a hotfix is ready for general distribution would have been a bad thing because the ANI vulnerability was being actively exploited
  
• a dialogue box directing only affected users to the hotfix would likely have delayed the fix for everybody, and run the risk of confusing affected users (assuming they actually read the dialogue box anyway - the person described above certainly would not have done so)
  
• warning *everybody* that Realtec software is a problem would have caused more confusion - many users know they have that little red speaker icon in their system tray, but they can't put a name to it and we run the risk of people not installing the critical fix at all, just in case they have Realtec.
  
• warning *everybody* that a hotfix is available if you see <insert error> would be confusing - the error text was long, and obscure, and few would bother to write it down just in case they see it - if anything users would download and install the hotfix "just in case" which is a bad thing in itself - hotfixes should only be applied to systems affected by the specific symptoms it fixes.
  
• by warning about Realtec, are we setting a standard of disclosure that will cause problems going forward ("you warned me about program x but not about program y", "all those dialogue boxes are too confusing")
  

I am so glad I don't have to make such decisions.

MS07-017 - Microsoft Knowledge Base Article 925902 Updated

KB925902 has been updated - it now notes that not only is the Realtec HD Audio Control Panel experiencing issues if MS07-017 is installed, but also ElsterFormular, TUGZip and CD-Tag (3 programs I've never heard of, to be honest).

The hotfix that addresses the problems with the above four programmes conflicting with MS07-017 is already available for manual download, and will be pushed out via Automatic, Windows and Microsoft Update on Tuesday 10 April, and will be available via WSUS and SUS (although it won't hit SUS until the 12th of April).

Important note: MBSA and SMS will not automatically identify and deploy the hotfix.

Cyrillic letters are not displayed correctly in Web forms when you use IE7

In this scenario, special characters and numbers appear instead of Cyrillic letters. For example you may see the following entry instead of Cyrillic letters:
:::::;;;;;;?????444444>>>>

This problem occurs when the BitComet 0.84 program installs the BitComet Helper (BitCometBHO_1.1.2.7.dll) Internet Explorer 7 add-on. The BitComet Helper add-on prevents the correct use of Cyrillic letters.

Source: http://support.microsoft.com/default.aspx/kb/934362

You may receive an "Access is denied" error message when you try to access a Web page that contains a script in IE6

In this scenario, you may receive the following error message:

Line: Line_Number
Char: Character Number
Error: Access is denied
Code: 0
URL: file:/// URLPath/Filename

This problem occurs when you try to access a Web page from the local file system, and the local file system contains the event.KeyCode property in the script. This is a security change in Internet Explorer 6 on Windows XP with SP2 and on Windows Server 2003 with SP1. You can no longer access the event.keyCode property by using the SHIFT key or the CTRL key on Web pages that are loaded from the local disk.

Source: http://support.microsoft.com/default.aspx/kb/934364

Internet Explorer 6 may stop responding and does not display images in a Web page on the XP SP2 based computer

1. You have a Microsoft Windows XP Service Pack 2 (SP2)-based computer that is running Microsoft Internet Explorer 6.
2. You set the following temporary Internet file settings in Internet Explorer 6:
3. You select the Every visit to the page setting.
4. You set the Amount of disk space to use setting to 1 megabyte (MB).
5. You configure Internet Explorer 6 to use only a single HTTP 1.1 connection.
6. You significantly reduce network bandwidth on the computer, and the Web server takes longer than expected to respond to HTTP requests.

In this scenario, Internet Explorer 6 may stop responding when you visit a Web page. Additionally, no images are displayed in the Web page.

Ok, so I always recommend that people set IE to use check for new versions of a page on every visit, or every time IE is restarted because the "automatically" option is notoriously buggy, eventually behaving just like the "never" option (meaning that if a page changes, you won't see the changes unless/until you empty your IE cache) - but why the heck would anybody set disk space to 1 megabyte??

Anyways, for those of you who *do* want to set their IE cache to 1 megabyte (please don't) there is a hotfix available to you - please note that you will also have to edit the registry after applying the hotfix.

Source:  http://support.microsoft.com/default.aspx/kb/920605

Web services such as Exchange ActiveSync or Outlook Web Access unexpectedly stop working after an automatic hotfix installation

This problem can also occur when you manually install a hotfix that is configured to automatically stop and restart the World Wide Web Publishing Service (WWW service).  If a hotfix installer tries to stop the WWW service at the beginning of a hotfix installation and the service is not shut down gracefully, the installer may not try to restart the WWW service.

http://support.microsoft.com/default.aspx/kb/933359

My beautiful daughter has had an amazing 24 hours

Yesterday she came home with four awards - an amazing achievement considering that she not only in her 2nd last year of school with its high work load, she is also the most in demand staff member at her place of work - it's amazing that the girl has been able to save $1,000 on her own on the measley hourly rate she gets as a casual employee.  Her awards are:

100% attendance
Student of the Term - Year 11 Physical Education Studies
Student of the Term - Year 11 Human Biology
Student of the Term - Year 11 English 2A

Then today, in the morning, she successfully passed the written exam necessary to obtain a Learners Driving Permit and had her first go at driving a car... for a whole hour, with her father, in his car (her father seems to have survived the stress of the occasion).

Then, for the afternoon the focus was on hair and a session with a professional makeup artist to get ready for her first school ball this evening.  Yep, Mom and Dad are proud as punch, as are the grandparents, and aunties and uncles and friends.  Just between you and me, I think she is the most beautiful girl at the ball.  Man, that girl has style.. check out the limo that they chose .... photos taken outside her friend's home.

Problems with MS07-017 and the Realtec High Definition Audio Control Panel

You may see this error after installing MS07-17 on to a system which has the Realtec High Definition Audio Control Panel installed.

RTHDCPL.EXE - Illegal System DLL Relocation
The system DLL user32.dll was relocated in memory.  The application will not run properly.  The relocation occurred because the DLL C:\WINDOWS\system32\HHCTRL.OCX occupied an address range reserved for Windows system DLLs.  The vendor supplying the DLL should be contacted for a new DLL.

You need to install the Hotfix at this URL to fix the issue:
http://www.microsoft.com/downloads/details.aspx?familyid=74ad4188-3131-429c-8fcb-f7b3b0fd3d86&displaylang=en&tm

We had this problem at the office; we have HP7100s and HP7200s - only the 7100s include the Realtec High Definition Audio Control Panel.  The systems with Realtec HDACP installed, but not loading at startup, did not have problems.

MS07-017, an out of band patch, addresses several GDI issues, including the high profile animated cursor vulnerability which has received so much press. I strongly recommend that you install the patch.

Information about MS07-017 can be found here:
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

Knowledgebase article here:
http://support.microsoft.com/kb/925902

Protected Mode for IE7 in Windows Vista - Is it On or Off?

Here is an excellent article explains how IE's protected mode may be disabled:
http://blogs.msdn.com/ie/archive/2007/04/04/protected-mode-for-ie7-in-windows-vista-is-it-on-or-off.aspx

I have always discouraged users from disabling UAC - yes, it can be irritating to see a prompt when you want to undertake certain tasks on your computer, but such protections are the reality that we have to deal with if we want to stay secure.

We don't know what vulnerabilities may be discovered today, tomorrow, or further down the track so we have to adopt the mindset that prevention is always better than cure.  Reality is that Users of IE7 under Vista who had Protected Mode enabled were/are protected from being infected by the high-profile ANI exploit if they happen to hit a hacked Web site.  It is also reality that the hacking of legitimate Web sites to insert hostile code in an attempt to infect any visitors via whatever security exploit is a growth industry.  We can no longer be certain that if we only go to 'safe' sites that we will not be at risk.  Look at the ASUS site hosted in Taiwan - it's been hacked *twice* that I know of, as has a slew of other high profile sites, including Yahoo India and other big names.

So, all of us have to make a choice.  Which do we prefer - an occasional (and yes, it *is* occasional for the average user - don't believe the Apple adverts) prompt for elevation permission that takes only a second or two to address, or the risk of having to spend hours, if not days to clean up your computer if it is compromised, or even having to reformat?  I'll take the former thank you.

Do you think you're safer using Firefox? Not necessarily

Source: http://blogs.zdnet.com/Ou/?p=461 (thanks Harry for bringing this to my attention)

"Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better."

Harsh words, but needed.  I still see too many people holding up Firefox as the be-all-and-end-all of security.

It doesn't matter what software you use - you have to stay patched, you have to stay aware, and you have to use safe hex.

Prosh Day today - but the students involved are not winning any friends

Today is PROSH Day (information here).  PROSH is an annual charity supported by the UWA Student Guild and The University of Western Australia.

Unfortunately what started out as a fantastic charity event years ago seems to be corrupting more and more as time goes by thanks to the deteriorating behaviour of the students involved.  My experiences this year, when leaving the Perth train station and walking to work, were by far the worst yet.

I knew we were in for trouble when I heard the Transperth staff at the train station broadcasting an announcement asking the Prosh sellers to stop blocking the exits, and warning that if they did not comply they would be removed.

Then there were the announcements asking specific students to leave the platforms - it is illegal to try and sell wares on Transperth property unless you are an actual stall/store holder, and these students know this, but it doesn't stop them from trying their luck anyway.

To leave the station I had to force myself through an unruly mob of about 20 yelling, costumed, university students who were blocking the overpass, and were so determined to get people to buy their Prosh paper they were shoving it in people's faces and physically blocking the exit.

Even after I managed to exit the train station (and to be honest, the students' behaviour was frightening - these kids have no idea of the concept of personal space) I continued to be accosted on every street corner and arcade entrance, and even berated by one overzealous seller dressed like a ninja.

Only one group was polite - on the corner of Pier and Hay Street.  My compliments to those young Canadians - they had manners - but unfortunately by the time I reached their corner my frame of mind was such that I had no intention of donating to Prosh.

The university students involved in this morning's events should be ashamed of themselves, take a good hard look at their behaviour and realise that the actions and words that I saw today will turn people away from Prosh.  As a whole Perthites are very generous charity givers, but do not expect support if you yell and shove your wares in our faces.

MS07-017: Vulnerability in GDI could allow remote code execution

This is the fix for the ANI exploit as well as other GDI related vulnerabilities.

It is very important to check for known issues before installing security fixes - a known issue affecting the MS07-017 may hit a lot of people, and if they do not read the documentation before allowing the fix to install via Automatic/Windows/Microsoft Update then they could be in for a shock.

"After you install this security update on a Windows XP Service Pack 2 (SP2)-based computer, Realtek HD Audio Control Panel (Rthdcpl.exe) may not start. Additionally, you receive an error message that is similar to the following:
 
Rthdcpl.exe - Illegal System DLL Relocation
The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

935448 (http://support.microsoft.com/kb/935448/) The Realtek HD Audio Control Panel may not start, and you receive an error message when you start the computer: "Illegal System DLL Relocation."

If you experience this error after installing the ANI patch, please download and install the fix, available here:
http://support.microsoft.com/kb/935448/

Has asus.tw been hacked again? Also, ANI Patch released.

Source: Comment to Susan's blog by Lars Nelson:
http://msmvps.com/blogs/bradley/archive/2007/03/18/sbsized-windows-2003-sp2-release-notes.aspx

"Right now, my mood is terrible, because before I could get down my first bit of coffee this morning, my Symantec AV was telling me that the ASUS website just tried to pass along the currently unpatched .ANI exploit.  Yes, it appears as though  ASUS has been hacked and is passing along the .ANI exploit that as I understand Microsoft has know about for a few years.  See http://www.dynamoo.com/blog/ for details on the ASUS thing."

Damn it, this is not the first time that ASUS has been hacked. See this blog entry for the last incident:
http://msmvps.com/blogs/spywaresucks/archive/2006/12/16/425879.aspx

An out-of-band patch that addresses this issue has been released.  I strongly recommend that as soon as the patch is released, you get it installed on all machines that you are responsible for, since we can't depend on reputable Web site owners such as ASUS to keep their sites clean.

MSRC have blogged about the release:
http://blogs.technet.com/msrc/archive/2007/04/03/ms07-017-released.aspx

One thing Lars... Microsoft has not known about the ANI exploit for "a few years". It is actually a few *months* and the patch was already slated to be distributed on 10 April - MS pushed the release forward once evidence appeared that the bad guys were trying to use it to infect the general public.

Update: It has been independently confirmed that asus.com.tv *has* been compromised, and an iframe injected into page code.

You know you're getting famous when somebody steals your stuff

So I spotted something in a Technorati search the other day... a site hosting www.ie-vista.com via a frame in a remote site, with a banner advert plastered across the top of the screen, the only goal being to earn easy cash from *my* hard work.

1. I hate that somebody is making money off my sweat and tears;
   
2. I hate that the banner ads in question could place visitors at risk, whether it be via a winfixer infiltration or worse.

So anyway, if you want to stop your site being stolen in such a way, here is what you do - it's called Frame Breakout.  You need to add the following code to the <head> section of your site, remembering that if your site uses frames things are going to get *way* more complicated, but you can code exclusions if need be.

Anyway the code:

<script type="text/javascript">
if (top.location != self.location)
top.location = self.location;
</script>

For those you of you with more complicated sites, this article may be of assistance:
http://javascript.about.com/library/blfrm1.htm

So, to the bastards who tried to steal my site and make money from my work by hosting www.ie-vista.com via frames and an usercash.com URL I have this to say:

BITE ME!!

Out of band patch being released on 3 April 2007 to address the Windows Animated Cursor Handling security exploit

On Tuesday 3 April 2007 Microsoft is planning to release one Microsoft Security Bulletin affecting Microsoft Windows.   The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer."

MSRC have blogged about the release:
http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx

I strongly recommend that everybody install this patch as soon as it is released.

Heads up - the XP/IE6 Virtual PC image released back in November last year expires today, 1 April 2007

But rest assured, another image has been released which will not expire until 23 July 2007, and can be downloaded here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=21EABB90-958F-4B64-B5F1-73D0A413C8EF&displaylang=en

Chinese home owners refuse to succumb to property developers - I'm not sure who is winning this battle..

A Chinese couple is holding out against property developers despite being marooned...

Video here:
http://video.news.com.au/videoplayer?channel=Weird+News&clipid=878785&bitrate=300&format=wmp

New Internet Explorer knowledge base articles

IE7 may not correctly recognise the zone to which a network resource belongs when you access the resource by using a mapped drive in Windows Vista or in Windows XP with Service Pack 2:
http://support.microsoft.com/default.aspx/kb/929798

BUG: A script that uses the execCommand function together with the SaveAs command does not save a Web page in IE7 on a Windows Vista-based computer:
http://support.microsoft.com/default.aspx/kb/934817

When you try to use IE7 to download a file from a Web page, the file name changes:
http://support.microsoft.com/default.aspx/kb/933133