Business-like, isn't he?



Business in Vancouver logo

    Surprise Microsoft patches and Internet security breaches

    by  Alan Zisman (c) 2008 First published in Business in Vancouver November 4-10, 2008; issue 993

    High Tech Office column

    Every few months, a reader passes on an e-mail from a colleague forwarding something they’d received. The much-quoted message mentions some sort of computer virus or other malware apparently spreading around and typically attributes the warning to CNN or an e-mail from Microsoft.

    And every time, pasting a sentence from the message into Google has quickly verified that it’s a known hoax. I generally point out that Microsoft doesn’t e-mail end users warning them about security problems.

    So late in October, when I got an e-mail asking for my opinion on a message that claimed to be from Microsoft, my first thought was here we go again. But the message, with the subject “Alert – Critical Product Vulnerability – October 23, 2008” seemed different. All the links in it pointed to real Microsoft web pages, unlike phishing scam messages, where links claiming to go to a financial service actually lead elsewhere.

    And the timing made me take it more seriously. For several years, Microsoft has been timing its updates for “Patch Tuesday” – the second Tuesday of every month, allowing IT departments to better plan their deployment. But the company had startled customers by releasing, on October 23, an out-of-schedule emergency security patch (MS08–067) to fix file and printer sharing in a variety of versions of Windows – the first time it had chosen not to wait for the next Patch Tuesday in over a year.

    Apparently, like 2003’s epidemic Blaster worm, the sharing vulnerability, by allowing remote code execution has the potential to rapidly spread, affecting users within corporate networks without requiring users to open an attachment or connect to a suspicious website. Multiple examples of malware using this vulnerability have been reported.

    According to Microsoft’s advisory, “Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.”
    But don’t assume that a firewall is perfect protection. If using an unprotected notebook outside your protected network, say at home, then plugging it back in at work could bring the infestation inside your presumably safe network.

    Good for Microsoft for taking the unusual step of pushing this security patch out immediately, rather than waiting a couple of weeks and releasing it through normal channels. If your Windows computer has been set to check for updates and download and install them automatically or if your IT department makes sure that this happens, you’re probably safe from this attack.

    And because I haven’t heard of widespread network problems in the days between Microsoft’s warning and writing this column, efforts to control this security issue may have been (fingers crossed) effective. Just to be certain, go over to your computer right now, open up Windows Update (or Microsoft Update) and make sure you’re up to date. (According to Microsoft, even without this update, Windows Vista systems are less vulnerable on this one than systems running Windows 2000 or XP.)

    While I was forwarded one example of a warning e-mail from Microsoft, I didn’t receive the warning personally and haven’t heard from anyone else who received it. The reader who passed on the message suspects that he got it because he’s on Microsoft’s lists as a software developer. But it’s no longer safe to assume any warning claiming to come from Microsoft has to be a hoax.

    Still, it’s worthwhile to remain suspicious. Just a few weeks ago, fake e-mail notifications were spread, claiming to be from Microsoft and alerting users to the mid-October Patch Tuesday bearing an attachment which, if opened, would infect systems with the so-called Haxdoor Trojan.

    And security company PandaLabs estimates that some 7,000 different types of fake antivirus and antispyware software have victimized over 30 million users, taking their money and infesting their computers with adware and spyware. •

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan
Search WWW Search