Surprise
Microsoft patches and Internet security breaches
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver November 4-10, 2008; issue 993
High Tech Office column
Every few months, a
reader passes on an e-mail from a colleague forwarding something they’d
received. The much-quoted message mentions some sort of computer virus
or other malware apparently spreading around and typically attributes
the warning to CNN or an e-mail from Microsoft.
And every time,
pasting a sentence from the message into Google has quickly verified
that it’s a known hoax. I generally point out that Microsoft doesn’t
e-mail end users warning them about security problems.
So late
in October, when I got an e-mail asking for my opinion on a message
that claimed to be from Microsoft, my first thought was here we go
again. But the message, with the subject “Alert – Critical Product
Vulnerability – October 23, 2008” seemed different. All the links in it
pointed to real Microsoft web pages, unlike phishing scam messages,
where links claiming to go to a financial service actually lead
elsewhere.
And the timing made me take it more seriously. For
several years, Microsoft has been timing its updates for “Patch
Tuesday” – the second Tuesday of every month, allowing IT departments
to better plan their deployment. But the company had startled customers
by releasing, on October 23, an out-of-schedule emergency security
patch (MS08–067) to fix file and printer sharing in a variety of
versions of Windows – the first time it had chosen not to wait for the
next Patch Tuesday in over a year.
Apparently, like 2003’s
epidemic Blaster worm, the sharing vulnerability, by allowing remote
code execution has the potential to rapidly spread, affecting users
within corporate networks without requiring users to open an attachment
or connect to a suspicious website. Multiple examples of malware using
this vulnerability have been reported.
According to Microsoft’s
advisory, “Firewall best practices and standard default firewall
configurations can help protect network resources from attacks that
originate outside the enterprise perimeter.”
But don’t assume that a
firewall is perfect protection. If using an unprotected notebook
outside your protected network, say at home, then plugging it back in
at work could bring the infestation inside your presumably safe network.
Good
for Microsoft for taking the unusual step of pushing this security
patch out immediately, rather than waiting a couple of weeks and
releasing it through normal channels. If your Windows computer has been
set to check for updates and download and install them automatically or
if your IT department makes sure that this happens, you’re probably
safe from this attack.
And because I haven’t heard of widespread
network problems in the days between Microsoft’s warning and writing
this column, efforts to control this security issue may have been
(fingers crossed) effective. Just to be certain, go over to your
computer right now, open up Windows Update (or Microsoft Update) and
make sure you’re up to date. (According to Microsoft, even without this
update, Windows Vista systems are less vulnerable on this one than
systems running Windows 2000 or XP.)
While I was forwarded one
example of a warning e-mail from Microsoft, I didn’t receive the
warning personally and haven’t heard from anyone else who received it.
The reader who passed on the message suspects that he got it because
he’s on Microsoft’s lists as a software developer. But it’s no longer
safe to assume any warning claiming to come from Microsoft has to be a
hoax.
Still, it’s worthwhile to remain suspicious. Just a few
weeks ago, fake e-mail notifications were spread, claiming to be from
Microsoft and alerting users to the mid-October Patch Tuesday bearing
an attachment which, if opened, would infect systems with the so-called
Haxdoor Trojan.
And security company PandaLabs estimates that
some 7,000 different types of fake antivirus and antispyware software
have victimized over 30 million users, taking their money and infesting
their computers with adware and spyware. •