Sunday, February 13, 2005
What you need to do SOON after Windows Update
First things first
First, if you haven't already downloaded Microsoft's security fixes from last Tuesday, do it now. Go to the Start menu and click Windows Update. If you get an error message about your computer's clock being wrong, ignore it and try again. If you're logged in without Administrator privileges, which is a good idea, then instead of clicking on Windows Update hold down the shift key and right-click on it, then log in as Administrator in the resulting dialog box.
The fixes are for important problems. There's also one confusing problem, having to do with instant messaging programs.
What you need to know
"Windows Messenger" is not the same program as "MSN Messenger". The names are confusingly similar, they both send instant messages, and they both had the same critical security problem but you have to fix the two of them separately.
The big difference is that Windows Messenger is "part of Windows" and MSN Messenger is not. When you run Windows Update it will install fixes for Windows Messenger but will leave MSN Messenger with the same critical security vulnerabilities. You need to make a separate visit to the MSN Messenger web site to download the security fix for MSN Messenger.
How serious is this, really?
It's one step short of an emergency and could turn into one overnight. There's a four-step process that happens with security bugs:
1. Someone finds a bug that might be a security bug.
2. Someone writes a program that demonstrates breaching security using the bug. They do that to prove the problem is real and so everyone can test a security fix.
3. Someone changes that demonstration program to do unkind things.
4. Someone turns the bad program loose, perhaps making copies of itself.
Step 3's already happened. Microsoft says step 4 hasn't happened yet. There's absolutely nothing to stop it, though, and anti-virus firm Symantec says they've seen an attack in the wild.
Anyway, you may not have a choice. Microsoft's announced plans to deny logins from anyone who's still running a vulnerable version.
|
First, if you haven't already downloaded Microsoft's security fixes from last Tuesday, do it now. Go to the Start menu and click Windows Update. If you get an error message about your computer's clock being wrong, ignore it and try again. If you're logged in without Administrator privileges, which is a good idea, then instead of clicking on Windows Update hold down the shift key and right-click on it, then log in as Administrator in the resulting dialog box.
The fixes are for important problems. There's also one confusing problem, having to do with instant messaging programs.
What you need to know
"Windows Messenger" is not the same program as "MSN Messenger". The names are confusingly similar, they both send instant messages, and they both had the same critical security problem but you have to fix the two of them separately.
The big difference is that Windows Messenger is "part of Windows" and MSN Messenger is not. When you run Windows Update it will install fixes for Windows Messenger but will leave MSN Messenger with the same critical security vulnerabilities. You need to make a separate visit to the MSN Messenger web site to download the security fix for MSN Messenger.
How serious is this, really?
It's one step short of an emergency and could turn into one overnight. There's a four-step process that happens with security bugs:
1. Someone finds a bug that might be a security bug.
2. Someone writes a program that demonstrates breaching security using the bug. They do that to prove the problem is real and so everyone can test a security fix.
3. Someone changes that demonstration program to do unkind things.
4. Someone turns the bad program loose, perhaps making copies of itself.
Step 3's already happened. Microsoft says step 4 hasn't happened yet. There's absolutely nothing to stop it, though, and anti-virus firm Symantec says they've seen an attack in the wild.
Anyway, you may not have a choice. Microsoft's announced plans to deny logins from anyone who's still running a vulnerable version.
# posted by Frederick @ 8:36 PM Email to a friend:
Haloscan: they provide trackback