How to Put an End to Microsoft's Sneaky "Silent Updates"

The following is an excerpt from Scott Dunn's informative September 20th article in Windows Secrets Newsletter on how to keep Microsoft from installing silent updates without your permission...

If you're an individual or a small business using Windows Update (or its enhanced sibling, Microsoft Update), you may be concerned about Microsoft installing patches before you've had a chance to research their reliability. In that case, you can completely turn off the Automatic Updates Agent, thereby preventing updates or even notifications from occurring. If you take this step, you'll become solely responsible for learning about new Microsoft patches yourself. I'll explain below how to adapt to this situation. In the meantime, here's how to turn off Automatic Updates and prevent stealth installs:

In Windows XP, take these steps:
Step 1. Open Control Panel and launch Automatic Updates (in the Security Center
Step 2. Select Turn off Automatic Updates. Click OK.

In Windows Vista, take these steps:
Step 1. Open Control Panel and launch Windows Update (in the System and Maintenance category).
Step 2. In the left pane, click Change settings.
Step 3. Click Never check for updates (not recommended). Click OK.
Step 4. Click Continue, if prompted by User Account Control. category).

With Automatic Updates turned off, Windows Update will still update itself (and notify you of patches), but only when you manually launch Windows Update and give your consent.

What to do about repeated boot-up warnings:
Turning off Automatic Updates can cause Windows Security Alert pop-up balloons to appear in the taskbar tray every time you log on. (See Figure 1.)

Figure 1. Turning off Automatic Updates causes scary
error balloons featuring a red shield.

If this bothers you, Windows XP allows you to suppress any warnings that relate to Automatic Updates. You can also do this in Vista but, unfortunately, the newer OS forces you to turn off all security alerts just to suppress the Automatic Updates warnings.

To eliminate the warning balloons about Automatic Updates in both XP and Vista, take these steps:
Step 1. Double-click the red shield icon in the taskbar, or open the Control Panel and launch the Security Center.
Step 2. In the left pane or box, click Change the way Security Center alerts me.
Step 3-XP. In XP, uncheck Automatic Updates and click OK.
Step 3-Vista. In Vista, select the second or third option.

Use Secunia's Software Inspector to check for updates:
With the Windows Update Agent turned off, how will you know if you have the latest security patches and updates you need?
First, read the Windows Secrets Newsletter that comes out two days after Patch Tuesday. Look in their paid section for descriptions of any patches that are reported to have negative side-effects, and use their recommended workarounds if any problems might affect you. Then, to check for needed updates to Windows and dozens of other programs, use the Secunia Software Inspector. This is a free service.

Once you know what updates you need, you can visit the Microsoft Update Web site, which offers updates for both Windows and Microsoft Office. The Secunia report includes a link to Microsoft's site and other update sites so you don't even have to bookmark them. Download and install the necessary patches. Reboot your PC and you should be good to go -- without the sneaky, underhanded, stealth "updates" Microsoft is trying to force on computer users.

Its a Month of Apple Bugs; for Some!

Source: TechTree

A zero-day vulnerability in Apple Computer's QuickTime media player has been posted, kicking off a project quite strangely titled as the "Month of Apple Bugs" (MoAB).
What has also been posted is an exploit that can be used by hackers to compromise, hijack, or infect computers running Microsoft Windows or Apple Mac OS X.
The QuickTime vulnerability lies in the way the media player software handles Real Time Streaming Protocol or RTSP. An attacker can create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow. The vulnerability affects QuickTime 7.1.3 on both Mac OS X and Windows systems. Previous versions of QuickTime could also be vulnerable.
A sequel to the 'Month of Kernel Bugs' project, MoAB is hosted by a hacker who goes under the initials, LMH, and a researcher, Kevin Finisterre, who has posted several such Mac vulnerabilities on his Web site.
MoAB takes upon itself the task of announcing a new security vulnerability in Apple's OS or other Mac OS X software each day of this month. Of the QuickTime vulnerability, LMH says, "The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account. It can be triggered via JavaScript, Flash, common links, QTL files, and any other method that starts QuickTime."
Both LMH and Finisterre write about the vulnerability on the MoAB Web site, saying that exploitation of this bug is trivial, and that the associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player. However, Danish security major, Secunia, has given the bug a 'highly critical' rating. Apple, on its part, continues to remain non-committal. In an email, a spokesperson for Apple has said the company takes security very seriously, and that it welcomes feedback on how to improve security on the Mac.
In any case, till such a time this potential bug is patched, users are advised to cripple QuickTime's ability to process rtsp:// links. As regards users of Microsoft Windows, they are advised to launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor". Users of Mac OS X are advised to select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies, and clear the "RTSP stream descriptor" box.

Microsoft Investigates IE7 Breach

iAfrica.com Staff Reporter
Microsoft on Thursday said it would investigate a reported security vulnerability in its new web browser software, Internet Explorer 7, but downplayed the risk. Danish security company Secunia on Wednesday announced that they've discovered a security vulnerability in Microsoft's new browser, which could allow "spoofing" of a URL in the browser's address bar. "The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions," Secunia said in a release to users.
Microsoft, however, downplayed the seriousness of the vulnerability, while vowing to investigate, reports InformationWeek. "We're not aware of any attacks that are attempting to use this," said Microsoft's security program manager at its response centre, Christopher Budd. "But as always we will continue to monitor the situation throughout our investigation." He also suggested that users look at the complete URL by scrolling in the address bar before proceeding on a suspicious website.
Secunia, however, did not share Microsoft's appraisal of the situation: "These are the kind of spoofing vulnerabilities, which IE7 was supposed to be better at protecting against than its predecessor," Secunia's chief technology officer, Thomas Kristensen, told iTWire. "While the issue isn't clear cut since the vigilant user might be able to spot that something isn't quite right, then any user not wearing the paranoid glasses is easily fooled by this trick — despite the built-in anti-phishing mechanism being enabled."

The "First Security Hole" in IE 7

By Brian Livingston
Much was made last week about the "first vulnerability" that was supposedly found in IE 7. There is in fact a vulnerability, but it's also one that's present in IE 5 and 6, which Microsoft has never corrected, although it's easy for you to work around it. The Dutch security firm Secunia reported on October 19th that malicious Web sites could grab data from other sites that had IE 7 windows open. For example, if you happened to be logged in to your online banking application and concurrently visited a hacker site, the bad site could see information from your banking site.
Microsoft developers poo-pooed the weakness, saying in an Oct. 19 blog post that the problem actually exists in an Outlook Express component, not a part of IE 7.
I've examined this claim and find that IE 7 does have a real problem, regardless of whether the code being exploited is considered a part of Outlook Express. In addition, the SANS Internet Storm Center confirmed on October 20th that IE 7 is vulnerable.
Secunia has posted a harmless browser test page that you can use to test your own copy of IE, and I urge you to do so. The firm also provides a description of the problem in two separate advisories: one for IE 7 and the other for IE 5 and 6. I tested a workaround recommended by Secunia and found that it works. Use the Tools, Internet Options menu item in IE, select the Security tab, then change the Custom Level. Switch options to run ActiveX content to "Disable," then run Secunia's browser test again. After making this change to my copy of IE, the test no longer found that my browser was vulnerable.
Of course, no version of the Firefox browser has ever been vulnerable to the Secunia test. Until Microsoft closes this and other IE holes for good, Firefox gets my recommendation as the safest browser you can use to surf the Web.