Published Work

Internet fixes

by Kim Zetter and Dylan F. TweneyFrom the April 2003 issue of PC World magazine [author’s note: Kim wrote the main story; I wrote the six sidebars, the text of which is reproduced below. Be sure to get the magazine to see the excellent illustrations by Hal Mayforth!] Internet Fixes   E-Mail Programs
Dylan Tweney 10 min read

by Kim Zetter and Dylan F. Tweney
From the April 2003 issue of PC World magazine

[author’s note: Kim wrote the main story; I wrote the six sidebars, the text of which is reproduced below. Be sure to get the magazine to see the excellent illustrations by Hal Mayforth!]


Internet Fixes

E-Mail Programs: Insulate Your In-Box

Microsoft Outlook: Security vulnerabilities in Outlook  2002 are addressed by the service packs for Office XP (see “Office    Suites“). Once you’ve installed Service Pack 2, however,  Outlook may start crashing. To fix that problem–and to patch yet another  security hole that spammers could use to crash your e-mail  application–download the   Outlook 2002    Update.

Outlook 2000 users need to get Office 2000 SR-1a and Service Pack 3 (see  “Office    Suites” for details). Once SP3 is installed, you may find that  Outlook 2000 fails to behave properly, or that it uses 100 percent of your CPU  resources when running in Internet Mail Online mode. A   small    patch will cure that problem.

If you don’t want to install Office 2000 SP3 for some reason, you should  at least install the latest version of the   Outlook 2000    Security Update, which will protect you against e-mail viruses  and worms.

Microsoft Outlook Express: Outlook Express is bundled  with Internet Explorer; so to secure Outlook Express, you need the latest fixes  for the browser. Get the   cumulative    patches for IE 5.5 and 6.

Outlook Express 6 and Outlook Express 5.5 Service Pack 2 also have a  vulnerability that hackers could exploit to crash or hack into your computer,  just by sending you a digitally signed e-mail message. To prevent this  theoretical attack, download the   Security    Update for Outlook Express.

A separate,   cumulative    update for Outlook Express 6 users patches a number of other  security gaps.

Eudora: Eudora versions 5.0 and 5.1 could allow an  attacker to run code on your machine by sending you specially formatted  multipart e-mail messages. Unlike Microsoft, Qualcomm doesn’t do patches. The  newest version of the program, Eudora 5.2, takes care of the problem. (The   upgrade is  free for users who purchased and registered Eudora 5.   x.)

To protect yourself against “cross-site scripting,” which can let  HTML-formatted e-mail messages execute code on your machine while posing as Web  sites that you trust, go to   Tools, Options, Viewing Mail, and make sure  that ‘Allow Executables in HTML Content’ is not checked.

–Dylan Tweney

Operating Systems: Protect Your Platform

All Versions of Windows: Microsoft’s Windows    Update site automates the patching process by recommending  downloads based on your PC’s configuration; it can save you a lot of time.  Windows Update also allows you to download everything in one fell swoop.

IS managers should visit the   Windows    Update Catalog page. There you can locate updates by operating  system and program, and then install them manually.

If you want to stay on top of the latest security updates as they are  released, or browse through past updates, head over to   Microsoft’s    Security & Privacy pages, where you’ll find the most recent  bulletins, as well as the archived ones. You can also   sign    up to have Microsoft put you on its e-mail list to receive its  security alerts.

If you prefer to obtain your patches a la carte, read on.

Windows XP: Whether you have XP Home Edition or XP  Professional Edition, you have security problems stemming from Universal Plug  and Play, glitches in the way XP handles SSL certificates from secure Web  sites, a bug that could prevent you from accessing encrypted files after you  change your password, and other issues. The fix: Install   Windows    XP Service Pack 1.

Windows XP users can avoid visiting the Windows Update site by turning  on Automatic Updates, which will download patches as soon as they become  available–and install them for you too, if you want. Right-click   My Computer, select   Properties, and choose the   Automatic Updates tab. Put a check in the box  beside   Keep my computer up to date, and specify  whether you want Auto Update to notify you before it installs the updates or  you want it to do its thing automatically. Automatic updating is available for  Windows 2000 users, too; it’s included in   Windows    2000 Service Pack 3.

Because patches themselves can cause difficulties (see “When the    Cure Is Worse Than the Disease“), we recommend that you have  Windows notify you before it installs any patches. If the notifications  themselves become annoying, then turn off Auto Update–but don’t forget to  check periodically for new patches.

Windows Me: Windows Me has a number of security holes,  including problems in the way Me handles digital certificates and a bug that  lets other users on a network view shared folders on your PC even if they don’t  have the right password. There’s no service pack for Windows Me, however, nor  is there a single list of security patches for this operating system. The  easiest way to patch your Me system is to go to the   Windows Update    site.

Windows 2000: This version has hundreds of serious  security holes and bugs, including multiple flaws relating to password theft,  denial-of-service attacks, and more.   Service    Pack 3  will help fend them off.

The   Windows    2000 High Encryption Pack  provides 128-bit encryption support for Web sites that run on a Win 2000  server, increasing the security of online transactions.

Windows 98 and Windows 98 Second Edition: The first  edition of Windows 98 has a limited number of security problems, including a  hole that could allow an intruder to get around log-in and password screens.  The   Windows 98    Customer Service Pack  fixes the flaws, along with a few stability issues. Windows 98 SE users  don’t need this service pack.

Besides the Customer Service Pack, there are a dozen additional security  updates for Windows 98 and Windows 98 SE. Among the security gaps corrected are  weaknesses that allow hackers to run malicious code on your computer, crash  your e-mail program, and retrieve stored passwords. Microsoft  provides a   list of    Windows 98 security updates and links to the patches.

–Dylan Tweney

Browsers: Beef Up Their Borders

Internet Explorer: If you’re using Internet Explorer 6,  critical security issues include a vulnerability that maliciously programmed  Web sites could exploit to gain access to files on your PC, and a bug that  permits sites to read and change the contents of cookies that other sites have  stored on your PC. To mitigate these risks, download    Internet    Explorer Service Pack 1. (Note: IE SP1 is included in SP1 for  Windows XP.)

The   High    Encryption Pack adds 128-bit encryption to IE, beefing up  security for online transactions. It’s available for  IE versions 4 to 5.01. Versions 5.5 and 6 already include 128-bit  encryption.

Once you have installed the IE service packs, you should check regularly  for the most recent updates. See Microsoft’s    bulletins (under Security Updates), or jump to   Critical    Updates  for links to all cumulative patches.

If you’re using IE 5.01, 5.5, or 6 on any platform except Windows XP,  your PC has a critical security gap in the Microsoft Data Access Components. By  attacking this weakness, a hacker could run devious code on your PC. The   patch  is not included in IE’s cumulative updates. Windows XP users don’t need  this fix.

If you’re using IE 5.5, you need to fix some minor security  vulnerabilities. Get    Service    Pack 2. IE 5.01 users need to plug various minor security  holes, too, by installing their   Service    Pack 2.

Netscape: The latest version of Netscape’s browser,   Netscape    7.01,  includes every security update that the company has provided to date. One flaw  could let a nasty Java applet access your PC. If you use Netscape 6.2.2 or 7.0,  you don’t need to upgrade to fix this flaw, but all earlier versions are  affected.

Netscape versions 6.1 to 6.2.2 (inclusive) have a problem with the  component used to download XML files. This bug could allow hackers to read  files on your PC. Versions 6.0 through 6.2 have a hole that could permit Web  sites to view cookies from other sites on your system. Both flaws are fixed in  Netscape 7.01.

–Dylan Tweney

When the Cure Is Worse Than the Disease

The trouble with software patches is that they are themselves software.  As a result, like the programs that they’re intended to fix, the patches  sometimes have glitches or security holes of their own.

Case in point: Office XP Service Pack 2. Shortly after Microsoft  released this update in August 2002, people who installed it found that Outlook  crashed after downloading certain e-mail messages. Microsoft didn’t release a  patch until December, so some people had to deal with an unstable e-mail client  for a few months.

Security-conscious users, then, are caught on the horns of a dilemma:  install patches as soon as they come out (and before any bugs are discovered),  or wait and leave your system open to a known vulnerability?

Even the security experts punt on this question. Richard M. Smith, an  independent Internet security and privacy consultant in Cambridge,  Massachusetts, says that he regularly updates his Windows system–but tries to  avoid using Windows XP’s Automatic Updates. “There’s a risk here that an update  may get rushed out and not be fully debugged,” Smith explains. “[The update]  might actually make things worse rather than better.”

System administrators don’t have much use for Automatic Updates–or, for  that matter, the Windows Update site. “Windows Update does not lend itself  nicely to the corporate world,” says Don Mungovan, vice president of IT for QST  Industries, a textile supplier in Chicago. “An administrator still needs to be  logged on to [each] machine, and I do not have the luxury to have someone touch  every machine in a timely fashion.” Instead, Mungovan relies on   Ecora Patch    Manager to partially automate software  patching.

What’s a Windows user to do? It depends on how much you trust  Microsoft–and how much footwork you’re willing to do on your own. For the  easiest updates, Windows XP Home Edition users should put Automatic Updates to  work (see “Operating    Systems” for details). When configuring the  feature, limit your selection to “critical updates,” which will ensure that  you’re fixing the most serious holes.

If you don’t trust Automatic Updates–or can’t use it because you have  an older version of Windows–consider using the semiautomated   Windows Update    site  instead; Smith says he follows that strategy.

Anyone who worries about potential problems with a new patch or service  pack shouldn’t install patches as soon as they come out. Wait a week or two.  Check   Microsoft’s    site to find out about  any emerging caveats. For problems with non-Microsoft patches, you’ll need to  monitor the vendors’ sites for updates. Remember to read our monthly   Bugs and    Fixes column  for advice about dealing with troublesome patches from Microsoft and  others. You can also search   discussions on Google.

If a patch causes problems, you may or may not be able to remove it.  “The reality is that sometimes patches simply are not uninstallable,” says Iain  Mulholland, security program manager in Microsoft’s Security Response Center.  So check the download notes (if any) for details about whether you can back  out.

–Dylan Tweney

Office Suites: Safeguard Your Apps

Office XP: Because of a flaw in the way that Word,  Excel, and PowerPoint detect macros within files, you could open up a document  from a malicious user and trigger its macros to run without your noticing  anything.   Office XP Service    Pack 1 takes care of the security problem and enhances overall  performance as well.

After that service pack was released, new security threats were  discovered relating to Word and Excel macro options and to Web-browsing  components.   Office XP    Service Pack 2 seals those holes and includes a number of other  bug fixes and performance enhancements. SP2  does not include the fixes offered in SP1; install SP1 before grabbing SP2.

Note: If you use Outlook 2002 and it crashes after you  install SP2, you need another patch. See “E-Mail Programs” for more  details.

Office 2000: In Microsoft Office 2000, the macro  features in Excel are particularly vulnerable to outside attackers. On top of  that, Outlook and Outlook Express have a flaw that leaves your machine open to  the Worm.Explore.Zip (Pack) virus. Get  the   Service Release    1a Update.

Following Microsoft’s posting of SR-1a, additional security holes  appeared on the scene, such as a problem in the way that Outlook handles e-mail  attachments, and potential security problems with Excel, Word, PowerPoint, and  RTF files.   Office 2000    Service Pack 3  includes all the security patches released after SR-1a.

Whether you’re using Office XP or Office 2000, you may need to get the  latest version of Microsoft Office Web Components. These tools come as part of  Office XP, Office 2000, Money 2002, Money 2003, and other apps, and they are  also available as a freestanding download from Microsoft’s site. Early versions  have security holes that could give a Web site unauthorized access to files on  your PC. Go to   Microsoft    Security Bulletin MS02-044  for a link to the patch. If you’ve installed Office XP SP2, you don’t  need this fix.

Corel WordPerfect: According to Corel, there aren’t any  significant security fixes in the company’s recent updates,   Hot    Patch 4 and Service Pack 3 for WordPerfect. The earlier Service  Pack 2, however, permits WordPerfect Office 2002 to integrate with Entrust’s  PKI Server, which will increase your security if you’re using that product.

If you use WordPerfect Office 2000, you might encounter a system error  if you should attempt to open a password-protected file on a document  management system. Installing the   Office    2000 Hot Patch  will restore your ability to use password-protected files in this  situation.

Finally,   WordPerfect Office 2000    Service Pack 4 enables WordPerfect to run in a safer,  “restricted users” mode on Windows 2000 or Windows Terminal Server. The service  pack is not available as a download; you need to request it from Corel customer  service.

–Dylan Tweney

Other Net Tools: Media and Instant Messaging

Media players: Three security defects affect RealOne  Player, and they potentially allow a hacker to run arbitrary programs on your  computer. The company recommends that anyone using RealPlayer 8 or earlier  editions upgrade, as well. The latest (secured) version is RealOne Player  version 2. Jump to   the company’s update page  to get further details.

Microsoft Windows Media Player versions 6.4 and 7.1 and Windows Media  Player for Windows XP all contain three separate security flaws. One of these  problems is critical, since it could let an attacker take charge of your PC.  You need the   cumulative    patch.

Macromedia Flash: Macromedia’s Flash player has a  weakness that could allow a specially written Macromedia Flash file to take  control of your PC. An earlier vulnerability allowed a Flash-powered site to  download information from files that are stored on your PC. To fix both  problems, the company advises you to install the latest version of the   Macromedia    Flash player (version 6,0,65,0 or later).

Instant Messaging Software: Last year, two  buffer-overflow vulnerabilities were discovered in AOL Instant Messenger that  would have allowed attackers to run code on your computer or to control it  remotely. AOL says that it has fixed the problem on its own servers, so AIM  users don’t have to make any changes themselves. But you might want to get the   most recent    version (5.1.3036) just to be safe.

If you’re using MSN Messenger 4.5 or 4.6, or the MSN Chat Control (an  ActiveX control that lets you create online chat rooms), there’s a  vulnerability that could allow an attacker to run code on your computer. Point  your browser to   Microsoft    Security Bulletin MS02-022 for Microsoft’s patch.

Older versions of Yahoo Messenger may contain security flaws that could  allow hackers to run code on your computer or to modify information in your  Friend List. Yahoo recommends that you upgrade to the latest version of   Yahoo    Messenger (version 5.5) to fix the problem.

–Dylan Tweney

Link: Internet fixes

Link broken? Try the Wayback Machine.

Share
Comments
More from Dylan Tweney - Storylines

Storylines

Subscribe to my newsletter on writing & storytelling

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Dylan Tweney - Storylines.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.