As with all its operating system releases go, Microsoft is again going to miss the shipping deadline for Windows Vista. There already as a lot of items out there so I am not going to add to that nor give any link. But it leads me to think, when will MS deliver a piece of software on time. Not able to resist a temptation, this is a very good article on Windows and Linux and their delivery schedules.

It seems though that MS has (finally) realised that there exists a problem and is changing it organizational hierarchy to address this issue. Microsoft has tasked Steven Sinofsky who headed the Office business. It seems that Sinofsky has a reputation for being a no-nonsense taskmaster and a person who gets things done on time. Whether he manages to turn-around the division to fuel growth and meet deadlines remains to be seen.

Its been delayed so often that it is becoming a joke. Ballmer has said that the consumer launch (which means for people like you and me) could slip further based on feedback from beta release program and product road maps from hardware vendors. What it really means is there are many many bugs still in Windows Vista and that the hardware requirements are so high and / or that the hardware vendors have not yet figrued out a working configuration for Windows Vista.

Let's assume that Microsoft will finally release the OS sometime next year (let's say April 2007). Why should I buy the OS? Just because it is new and Microsoft will not support older versions? Maybe. But what if it's going to pinch my purse as a home users too tightly? Or it does not match upto expectations? Why shouldn't I move to Linux or even Mac? What does a home user really need when using PCs? Internet, browser, office applications. That's it. There are some people who play games... Serious gamers. But then that's a small percentage of user community.

All the above applications are available on other OS in some form or other and at a lower cost. That is going to be a real possibility. So after so much of delays and slips, people may decide, "Why bother?". Microsoft might also want to ask the same question to themselves.

According to the Microsft security advisory 926043, a flaw in the Windows shell could allow remote execution of code. This vulnerability was first published on 28th September and was updated yesterday 2nd October 2006 as the websites that exploit this flaw have been identified. The ActiveX control called Microsoft WebViewFolderIcon ActiveX control (Web View) has been seen to exploit this vulnerability that exists in the Windows Shell.

The effect of this vulnerability is limited in scope given that there is no automatic execution of code. You have to infact visit the malicious website to be affected. Since there is no way an attacker can force you to visit a particular website other than persuading or tricking you into clicking on a benign looking link that in fact redirects you to the attackers website, you should be pretty safe provided you follow the basic tenets of safe computing and browsing:

1. Keep you antivirus software updated
2. Do not click on links in emails from untrusted sources
3. Do not allow websites to install ActiveX controls on your computer without your consent
4. Do not login with an user with administrative credentials unless absolutely necessary

Microsoft suggests some workarounds to protect your computer before Microsoft releases a security update during its monthly patch cycle on 10 October 2006.

Workaround 1: Prevent Internet Explorer from running the Microsoft WebViewFolderIcon ActiveX control by setting the kill bit in the registry for the control. To set the kill bit in registry, paste the following lines in your favourite text editor and save the file with the extension .reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
"Compatibility Flags"=dword:00000400

To apply this registry file to individual systems simply double click it to run it. If you are an administrator with many computers to patch in one or more Windows domains, you can use Group Policy to distribute the registry settings.

Workaround 2: Set the security settings for Internet explorer to prompt you before running any ActiveX Control. To set that in your Internet Explorer follow the steps listed below:

1. In Internet Explorer click on Tools --> Internet Options --> Security Tab
2. Click Internet and click on custom level
3. Scroll down to ActiveX control and plug-ins section and under Run ActiveX controls and plug-ins and click on either Disable or Prompt then click on OK.
4. Follow the same steps for Intranet zone and click OK to close the window.

The same settings again can be deployed to multiple PCs across Windows domains using Group Policies

What is Web view?

Web View is one of two different formats provided by Windows Explorer for viewing file and folder information. This feature allows users to preview documents in a thumbnail view before opening. In addition, information such as title and author is displayed.

Notice: By disabling the above ActiveX control, the websites that make use of ActiveX control will stop functioning correctly. In addition you will no longer be able to preview your pictures in thumbnails in Windows Explorer.

Warning: Only expert users should modify registry settings if at all. Incorrectly modifying the registry may create other problems or render your Windows installation useless. I don't guarantee that the incorrect settings will not harm your computer and accept no liability for your actions. The tip here provided is as is and should be used at your own discretion and caution. I have tested these out on my own computer and found to be working correctly.

Microsoft plans to release total of 11 security bulletins during is monthly patch update cycle for October 2006. Six of those apply to Microsoft Windows and the maximum severity rating for some of them is "Critical". That means that attackers can possibly take over the computer affected by this vulnerability of execute code remotely.

Four of the patches apply to Microsoft Office and maximum severity rating for one or more of them is "Critical". Again it means that attackers can possibly take over the computer affected by this vulnerability of execute code remotely.

One of updates apply to Microsoft .NET framework with maximum severity rating for this update is moderate. It means that there exists a possibility of bug that this update will fix and there will be no possibility of remote code execution. Microsoft will also release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update, Microsoft
Update, Windows Server Update Services and the Download Center. This tool update will not be distributed through Software Update Service.

In addition to these, Microsoft will also release two Non security updates for other Microsoft products on Microsoft Update (MU) and Windows Server Update Services (WSUS). There will none for Microsoft Windows.

Microsoft has not made any additional details of the updates available at this time and will be published on 10th October 2006 along with the updates.

Analysis and Recommendation: With more critical patches coming out, I would recommend applying the security updates to your Windows infrastructure as soon as they are released and adequately tested in your environment. For Microsoft Office, you can probably apply those patches only if the critical vulnerability is going to affect your environment and users and you can probably get by without applying the .NET patch.

Having said that, these recommendation are not authoritative and may change since no details of the vulnerabilities are available at this time. I will follow-up with this when Microsoft releases the patch with some more concrete recommendations.

Microsoft has published 10 updates (MS06-56 to MS06-65) for its products during its monthly update cycle. Microsoft had initially said that there will be 11 updates in this cycle in an earlier bulletin released on 5 October 2006. Six updates have received the highest severity rating of Critical and primarily affect the Office suite (4 updates out of 6 are for Office). One update has received severity rating Important and it affects Windows OS. Two updates are rated as moderate and they affect the ASP.NET and Windows Object packager products. Finally one patch has been rated as low and it addresses a Vulnerability in TCP/IP that could allow Denial of Service.

The following table lists down the vulnerability details and I give my recommendation on the same

Legend:

RCE - Remote Code Execution

DoS - Denial of Service

ID - Information Disclosure

The updates are listed down according to their severity. What do my recommendations mean to you?

Apply immediately means you should schedule an emergency change and apply the update immediately.

Apply ASAP means you should schedule a change and downtime as soon as business allows and apply the update

Apply as scheduled means that you can apply this update during your regular update cycle if you have any.

If you notice the pattern of my recommendation, anything that affects Windows and involves RCE or DoS earns an Apply ASAP recommendation from me. Regardless of what Microsoft says, any person with malicious intent will not see the rating, but just look at the opportunity to cause damage and according to me any vulnerability that can cause RCE is an opportunity.

Also notice the language used in the summaries. Some of the update resolves "several" vulnerabilities as opposed to a single update resolving a single vulnerability. Additional information about the number of vulnerabilities fixed is not available at this time from Microsoft. But I will update as soon as I get any more information.

As I had noted in the previous post, Microsoft has addressed multiple vulnerabilities in the 10 updates that they released. I tried to get in touch with them to find out exactly how many vulnerabilities had been addressed so that I can keep a track. All the links posted on the Microsoft website point towards the MSRC blog.

When I checked the MSRC blog, first thing is that they have disabled anonymous comments. Understandable. But they have also disabled all new comments on the subject. I wondered why.

So do I understand this as Microsoft unwillingness to answer questions about the latest patch updates? Or am I supposed to make a call to the Microsoft support to get those details?

Any thoughts on this?

Microsoft yesterday re-released the security bulletin number MS06-61 that addresses the vulnerability in Microsoft XML Core services that could allow unauthorised remote code execution. The security update previously released did not set the kill bit correctly for Microsoft XML Parser 2.6. The bug in the update affected Microsoft Windows 2000 SP4 and later operating systems running Microsoft XML Parser 2.6 and Microsoft XML Core Services 3.0 and Microsoft Office 2003 SP1 and SP2 running Microsoft XML Core Services 5.0 Service Pack 1.

Users running Microsoft XML Core Services 2.5 are not affected by this bug. It is advised that users apply this patch immediately if it is required to be applied for your environment. You can either use the Microsoft Baseline Security Analyzer or SMS to determine whether this patch is required or not. MBSA 1.2.1 and SMS 2.0 CANNOT determine the patching requirement for Microsoft Windows Server 2003 Enterprise Itanium edition and SP1 Itanium edition and x64 edition family.

The CLSIDs (Class Identifiers) and the corresponding files where the Microsoft XML Core Services functionality is contained are listed below:

This security update addresses two vulnerabilities

1. Microsoft XML Core Services Vulnerability as recorded and submitted as a candidate in the Common Vulnerabilities and Exposures (CVE) as CVE-2006-4685.

A vulnerability exists in Microsoft XML Core Services that could allow for information disclosure because the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side redirect. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially lead to information disclosure if a user visited that page or clicked a link in a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could access content from another domain retrieved using the credentials of the user browsing the Web at the client. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. However, user interaction is required to exploit this vulnerability.

2. XSLT Buffer Overrun Vulnerability as recorded and submitted as a candidate in the CVE as CVE-2006-4686.

A vulnerability exists in XSLT processing that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited that page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

No matter how fast the processor becomes or how cheap the memory gets, software vendors always manage to build applications that consume all available processing power, memory and other computing resources and always demand for more. How can we as users keep on top of all this? Simple. Just run what is necessary on your computer and disable / uninstall everything else that you need. But how can normal Joe Users like us figure out what is necessary and what is not?

Here's where I try to help by providing some tips and suggestions to optimise the usage or computing resources and increasing performance of your computer. Windows installs and starts up many services that may not be needed in a normal home environment or even in enterprise environment. Windows OS out of the box, is a trade-off between usability and optimum performance and security. Every person should configure and lock the system down to improve performance and security. In addition the OEM manufacturers install a lot of software that automatically starts up and takes up a lot of resources. But that is a different story altogether. I will not venture there right now as it has to be tackled on a case by case basis.

To speed up the computers without a lot of effort some of services should be disabled. I will list and explain the services in a phased manner so as to ensure that your computer does not break down and keeps running properly after services are turned off. To disable the services, first we need to start the Services Management console. In Windows XP, to start the console click on Start --> Settings --> Control Panel. If you are using the newer Category interface, click on Perfomance and Maintenance and click on Administrative Tools. In that look for an icon that looks like two engaged gears and is named as Services. If you use the Windows Classic interface, then double click on Administrative Tools and double click on Services to start the console. A short cut to start the console is to Click on Start --> Run and type in services.msc in the dialog window that appears.

You can scroll through the services to find out which are automatic and I am sure you will be amazed to find out what all is running on your computer. To start with you can safely disable the following services.

To disable a service, open the service's properties page by double clicking it and click on Stop to stop the service and select Disabled from the drop down menu next to Startup Type as shown. To start the same service, open the service's properties page by double clicking it and change the startup type to Manual and click on Start to start the service.

That's all for this edition. I will list down more services with additional tips in the next edition.