by Kim Zetter and Dylan F. Tweney
From the April 2003 issue of PC World magazine
[author’s note: Kim wrote the main story; I wrote the six sidebars, the text of which is reproduced below. Be sure to get the magazine to see the excellent illustrations by Hal Mayforth!]
E-Mail Programs: Insulate Your In-Box
Microsoft Outlook: Security vulnerabilities in Outlook 2002 are addressed by the service packs for Office XP (see “Office Suites“). Once you’ve installed Service Pack 2, however, Outlook may start crashing. To fix that problem–and to patch yet another security hole that spammers could use to crash your e-mail application–download the Outlook 2002 Update.
Outlook 2000 users need to get Office 2000 SR-1a and Service Pack 3 (see “Office Suites” for details). Once SP3 is installed, you may find that Outlook 2000 fails to behave properly, or that it uses 100 percent of your CPU resources when running in Internet Mail Online mode. A small patch will cure that problem.
If you don’t want to install Office 2000 SP3 for some reason, you should at least install the latest version of the Outlook 2000 Security Update, which will protect you against e-mail viruses and worms.
Microsoft Outlook Express: Outlook Express is bundled with Internet Explorer; so to secure Outlook Express, you need the latest fixes for the browser. Get the cumulative patches for IE 5.5 and 6.
Outlook Express 6 and Outlook Express 5.5 Service Pack 2 also have a vulnerability that hackers could exploit to crash or hack into your computer, just by sending you a digitally signed e-mail message. To prevent this theoretical attack, download the Security Update for Outlook Express.
A separate, cumulative update for Outlook Express 6 users patches a number of other security gaps.
Eudora: Eudora versions 5.0 and 5.1 could allow an attacker to run code on your machine by sending you specially formatted multipart e-mail messages. Unlike Microsoft, Qualcomm doesn’t do patches. The newest version of the program, Eudora 5.2, takes care of the problem. (The upgrade is free for users who purchased and registered Eudora 5. x.)
To protect yourself against “cross-site scripting,” which can let HTML-formatted e-mail messages execute code on your machine while posing as Web sites that you trust, go to Tools, Options, Viewing Mail, and make sure that ‘Allow Executables in HTML Content’ is not checked.
Operating Systems: Protect Your Platform
All Versions of Windows: Microsoft’s Windows Update site automates the patching process by recommending downloads based on your PC’s configuration; it can save you a lot of time. Windows Update also allows you to download everything in one fell swoop.
IS managers should visit the Windows Update Catalog page. There you can locate updates by operating system and program, and then install them manually.
If you want to stay on top of the latest security updates as they are released, or browse through past updates, head over to Microsoft’s Security & Privacy pages, where you’ll find the most recent bulletins, as well as the archived ones. You can also sign up to have Microsoft put you on its e-mail list to receive its security alerts.
If you prefer to obtain your patches a la carte, read on.
Windows XP: Whether you have XP Home Edition or XP Professional Edition, you have security problems stemming from Universal Plug and Play, glitches in the way XP handles SSL certificates from secure Web sites, a bug that could prevent you from accessing encrypted files after you change your password, and other issues. The fix: Install Windows XP Service Pack 1.
Windows XP users can avoid visiting the Windows Update site by turning on Automatic Updates, which will download patches as soon as they become available–and install them for you too, if you want. Right-click My Computer, select Properties, and choose the Automatic Updates tab. Put a check in the box beside Keep my computer up to date, and specify whether you want Auto Update to notify you before it installs the updates or you want it to do its thing automatically. Automatic updating is available for Windows 2000 users, too; it’s included in Windows 2000 Service Pack 3.
Because patches themselves can cause difficulties (see “When the Cure Is Worse Than the Disease“), we recommend that you have Windows notify you before it installs any patches. If the notifications themselves become annoying, then turn off Auto Update–but don’t forget to check periodically for new patches.
Windows Me: Windows Me has a number of security holes, including problems in the way Me handles digital certificates and a bug that lets other users on a network view shared folders on your PC even if they don’t have the right password. There’s no service pack for Windows Me, however, nor is there a single list of security patches for this operating system. The easiest way to patch your Me system is to go to the Windows Update site.
Windows 2000: This version has hundreds of serious security holes and bugs, including multiple flaws relating to password theft, denial-of-service attacks, and more. Service Pack 3 will help fend them off.
The Windows 2000 High Encryption Pack provides 128-bit encryption support for Web sites that run on a Win 2000 server, increasing the security of online transactions.
Windows 98 and Windows 98 Second Edition: The first edition of Windows 98 has a limited number of security problems, including a hole that could allow an intruder to get around log-in and password screens. The Windows 98 Customer Service Pack fixes the flaws, along with a few stability issues. Windows 98 SE users don’t need this service pack.
Besides the Customer Service Pack, there are a dozen additional security updates for Windows 98 and Windows 98 SE. Among the security gaps corrected are weaknesses that allow hackers to run malicious code on your computer, crash your e-mail program, and retrieve stored passwords. Microsoft provides a list of Windows 98 security updates and links to the patches.
Browsers: Beef Up Their Borders
Internet Explorer: If you’re using Internet Explorer 6, critical security issues include a vulnerability that maliciously programmed Web sites could exploit to gain access to files on your PC, and a bug that permits sites to read and change the contents of cookies that other sites have stored on your PC. To mitigate these risks, download Internet Explorer Service Pack 1. (Note: IE SP1 is included in SP1 for Windows XP.)
The High Encryption Pack adds 128-bit encryption to IE, beefing up security for online transactions. It’s available for IE versions 4 to 5.01. Versions 5.5 and 6 already include 128-bit encryption.
Once you have installed the IE service packs, you should check regularly for the most recent updates. See Microsoft’s bulletins (under Security Updates), or jump to Critical Updates for links to all cumulative patches.
If you’re using IE 5.01, 5.5, or 6 on any platform except Windows XP, your PC has a critical security gap in the Microsoft Data Access Components. By attacking this weakness, a hacker could run devious code on your PC. The patch is not included in IE’s cumulative updates. Windows XP users don’t need this fix.
Netscape: The latest version of Netscape’s browser, Netscape 7.01, includes every security update that the company has provided to date. One flaw could let a nasty Java applet access your PC. If you use Netscape 6.2.2 or 7.0, you don’t need to upgrade to fix this flaw, but all earlier versions are affected.
Netscape versions 6.1 to 6.2.2 (inclusive) have a problem with the component used to download XML files. This bug could allow hackers to read files on your PC. Versions 6.0 through 6.2 have a hole that could permit Web sites to view cookies from other sites on your system. Both flaws are fixed in Netscape 7.01.
When the Cure Is Worse Than the Disease
The trouble with software patches is that they are themselves software. As a result, like the programs that they’re intended to fix, the patches sometimes have glitches or security holes of their own.
Case in point: Office XP Service Pack 2. Shortly after Microsoft released this update in August 2002, people who installed it found that Outlook crashed after downloading certain e-mail messages. Microsoft didn’t release a patch until December, so some people had to deal with an unstable e-mail client for a few months.
Security-conscious users, then, are caught on the horns of a dilemma: install patches as soon as they come out (and before any bugs are discovered), or wait and leave your system open to a known vulnerability?
Even the security experts punt on this question. Richard M. Smith, an independent Internet security and privacy consultant in Cambridge, Massachusetts, says that he regularly updates his Windows system–but tries to avoid using Windows XP’s Automatic Updates. “There’s a risk here that an update may get rushed out and not be fully debugged,” Smith explains. “[The update] might actually make things worse rather than better.”
System administrators don’t have much use for Automatic Updates–or, for that matter, the Windows Update site. “Windows Update does not lend itself nicely to the corporate world,” says Don Mungovan, vice president of IT for QST Industries, a textile supplier in Chicago. “An administrator still needs to be logged on to [each] machine, and I do not have the luxury to have someone touch every machine in a timely fashion.” Instead, Mungovan relies on Ecora Patch Manager to partially automate software patching.
What’s a Windows user to do? It depends on how much you trust Microsoft–and how much footwork you’re willing to do on your own. For the easiest updates, Windows XP Home Edition users should put Automatic Updates to work (see “Operating Systems” for details). When configuring the feature, limit your selection to “critical updates,” which will ensure that you’re fixing the most serious holes.
If you don’t trust Automatic Updates–or can’t use it because you have an older version of Windows–consider using the semiautomated Windows Update site instead; Smith says he follows that strategy.
Anyone who worries about potential problems with a new patch or service pack shouldn’t install patches as soon as they come out. Wait a week or two. Check Microsoft’s site to find out about any emerging caveats. For problems with non-Microsoft patches, you’ll need to monitor the vendors’ sites for updates. Remember to read our monthly Bugs and Fixes column for advice about dealing with troublesome patches from Microsoft and others. You can also search discussions on Google.
If a patch causes problems, you may or may not be able to remove it. “The reality is that sometimes patches simply are not uninstallable,” says Iain Mulholland, security program manager in Microsoft’s Security Response Center. So check the download notes (if any) for details about whether you can back out.
Office Suites: Safeguard Your Apps
Office XP: Because of a flaw in the way that Word, Excel, and PowerPoint detect macros within files, you could open up a document from a malicious user and trigger its macros to run without your noticing anything. Office XP Service Pack 1 takes care of the security problem and enhances overall performance as well.
After that service pack was released, new security threats were discovered relating to Word and Excel macro options and to Web-browsing components. Office XP Service Pack 2 seals those holes and includes a number of other bug fixes and performance enhancements. SP2 does not include the fixes offered in SP1; install SP1 before grabbing SP2.
Note: If you use Outlook 2002 and it crashes after you install SP2, you need another patch. See “E-Mail Programs” for more details.
Office 2000: In Microsoft Office 2000, the macro features in Excel are particularly vulnerable to outside attackers. On top of that, Outlook and Outlook Express have a flaw that leaves your machine open to the Worm.Explore.Zip (Pack) virus. Get the Service Release 1a Update.
Following Microsoft’s posting of SR-1a, additional security holes appeared on the scene, such as a problem in the way that Outlook handles e-mail attachments, and potential security problems with Excel, Word, PowerPoint, and RTF files. Office 2000 Service Pack 3 includes all the security patches released after SR-1a.
Whether you’re using Office XP or Office 2000, you may need to get the latest version of Microsoft Office Web Components. These tools come as part of Office XP, Office 2000, Money 2002, Money 2003, and other apps, and they are also available as a freestanding download from Microsoft’s site. Early versions have security holes that could give a Web site unauthorized access to files on your PC. Go to Microsoft Security Bulletin MS02-044 for a link to the patch. If you’ve installed Office XP SP2, you don’t need this fix.
Corel WordPerfect: According to Corel, there aren’t any significant security fixes in the company’s recent updates, Hot Patch 4 and Service Pack 3 for WordPerfect. The earlier Service Pack 2, however, permits WordPerfect Office 2002 to integrate with Entrust’s PKI Server, which will increase your security if you’re using that product.
If you use WordPerfect Office 2000, you might encounter a system error if you should attempt to open a password-protected file on a document management system. Installing the Office 2000 Hot Patch will restore your ability to use password-protected files in this situation.
Finally, WordPerfect Office 2000 Service Pack 4 enables WordPerfect to run in a safer, “restricted users” mode on Windows 2000 or Windows Terminal Server. The service pack is not available as a download; you need to request it from Corel customer service.
Other Net Tools: Media and Instant Messaging
Media players: Three security defects affect RealOne Player, and they potentially allow a hacker to run arbitrary programs on your computer. The company recommends that anyone using RealPlayer 8 or earlier editions upgrade, as well. The latest (secured) version is RealOne Player version 2. Jump to the company’s update page to get further details.
Microsoft Windows Media Player versions 6.4 and 7.1 and Windows Media Player for Windows XP all contain three separate security flaws. One of these problems is critical, since it could let an attacker take charge of your PC. You need the cumulative patch.
Macromedia Flash: Macromedia’s Flash player has a weakness that could allow a specially written Macromedia Flash file to take control of your PC. An earlier vulnerability allowed a Flash-powered site to download information from files that are stored on your PC. To fix both problems, the company advises you to install the latest version of the Macromedia Flash player (version 6,0,65,0 or later).
Instant Messaging Software: Last year, two buffer-overflow vulnerabilities were discovered in AOL Instant Messenger that would have allowed attackers to run code on your computer or to control it remotely. AOL says that it has fixed the problem on its own servers, so AIM users don’t have to make any changes themselves. But you might want to get the most recent version (5.1.3036) just to be safe.
If you’re using MSN Messenger 4.5 or 4.6, or the MSN Chat Control (an ActiveX control that lets you create online chat rooms), there’s a vulnerability that could allow an attacker to run code on your computer. Point your browser to Microsoft Security Bulletin MS02-022 for Microsoft’s patch.
Older versions of Yahoo Messenger may contain security flaws that could allow hackers to run code on your computer or to modify information in your Friend List. Yahoo recommends that you upgrade to the latest version of Yahoo Messenger (version 5.5) to fix the problem.
Link: Internet fixes
Link broken? Try the Wayback Machine.