Wednesday, December 15, 2010

Bad Outlook 2007 Update KB-2412171 -- December 2010 Microsoft Patch Day

January 11, 2011 Update:  This patch has been re-released under the same KB number.  If you previously installed this patch you should update it again.  See for more information.

Bug Summary:
After installing patch KB-2412171 for Outlook 2007 SP2 delivered via Microsoft Updates on Tuesday, December 14 2010; several problems on multiple machines began happening.

UPDATE: Pass the salt please -- Outlook team at Microsoft admits to the bad patch.  (Which TOTALLY rocks, would sure like to see more ownership from team MS when problems come out of Redmond.)

  1. Performance while loading Outlook, or clicking any email folder/sub-folder or changing views was extremely sluggish, even on high performance workstations.
  2. Auto-archive options were missing entirely from the Properties page for any folder, also missing from the Mailbox Cleanup tool. (See screen-shots)
  3. Additionally severe system instability when certain other plug-ins are installed and running: the Franklin Covey Plan Plus for Outlook version 6 in particular began crashing badly.
  4. Users of Comcast and AT&T email services have reported that sending/receiving breaks with this patch.  Error 0x800CCC18 indicating SPA not working.
  5. Some users of outsourced Exchange services have also reported that outgoing emails fail to leave their Outbox.

Tested systems: Windows 7 x64 Professional and Ultimate, running Office 2007 Professional and/or Ultimate. Office 2007 Service Pack 2 installed. Tested with and without AntiVirus running - AV was not a factor. Also tested with the Franklin plug-in removed: which solved the more severe crashing but did not solve the performance issues.

Note that AutoArchive is missing entirely from the patched Outlooks MailBox Cleanup UI, it should be between those two blank lines.

This is what that UI window should look like.

Fix this problem by removing KB-2412171.

This patch can be removed safely. (Note:  Microsoft has removed their page for this patch - which I had linked to in the original article. This hopefully means a fixed version is coming very soon.  In the mean time, here are the steps to remove this patch from your system.)

1) Close Outlook and any related applications (such as Google Calendar Sync).
2) Open Control Panel >> Add / Remove (or Uninstall) Programs.
3) Click Show Windows Updates or View Installed Updates (depends on your Windows version.)
4) Locate the Outlook update KB-2412171 and remove/uninstall it.
5) Normally a reboot is not required, but if you are prompted to -- wait until you complete the further steps below.

Additionally, I recommend you block this update on systems that have not yet been patched, or block it after removing it so you don't get slammed again.

1) Force a check for updates.
2) Updates should display KB-2412171 as available.
3) Un-check KB-2412171, then right click (in Windows 7) and hide it.  In IE (Windows XP) Uncheck the first box next to the update, then check the box below to hide it.

That should solve the problems for now.  I recommend you check back later - when a fixed version is released I will make a point of announcing it here.

New: Microsoft has removed the KB article for this patch from their website as of sometime this afternoon December 16.  They also appear to have removed the patch from Automatic updates.  If you manually remove this patch as described above to correct problems, you should not have to "hide" the update to prevent it from reinstalling. It will simply not be on the list anymore when you refresh available updates.

Tuesday, August 24, 2010

Critical New (yet old) DLL Loading Vulnerability likely won't be fixed via Microsoft Update

Short summary: To continue to provide backward compatibility for older (poorly written) applications, Microsoft will likely not patch what may become one of the most dangerous vulnerabilities in Windows. It effects all versions, even the newest Windows 7 and Windows Server 2008 R2 operating systems. System administrators must manually test and patch each system according to what critical applications are used - to prevent business critical systems from breaking completely - or risk infection.

For a decent analysis on what the problem is, and why Microsoft likely won’t be releasing a hot fix via Windows Update see this article:
ars technica : Windows DLL-loading security flaw puts Microsoft in a bind

A Microsoft KB article was released last night announcing a mitigation fix available to system admins. The process includes adding a new REG key and installing a hotfix that enables that key on the OS.
Restrict the DLL search path algorithm (Machine Global, Application Specific, WebDAV or Remote Folders) KB2264107

Please note that if you intend to deploy this fix you will need to manually apply the patch to each system and import a reg key.

Test all business critical apps on this patch before you deploy widely!

In my opinion Microsoft should bite the bullet on this in favor of security – this is potentially one of the most dangerous exploits we shall see this decade. Expect rampant virus infections very soon on un-patched systems. The catch-22 is that deploying this fix will likely break older 3rd party software that used dangerous DLL calling methods. (No names, but there were some big companies that did this right up until last year - “financial software” cough cough.)

Thursday, May 27, 2010

Tabnabbing - new phishing technique

Ever walk away from your computer, or change focus to a different application for a while and forget where you were surfing?

Might want to be careful. A new phishing proof of concept that affects Firefox, Chrome, IE 8 and most other browsers that support simple scripting and tabs might fool you into thinking you were about to log onto your email account -- or your bank!

It's called Tabnabbing, and a malicious site might use it to change the information on a web page to something that looks like your bank, Gmail account, or even a gaming account log in page. (Hit that link above to see more info as well as a harmless working demo of the technique.)


How The Attack Works

1. A user navigates to your normal looking site.

2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.


You know the drill by now: inform your friends, parents, siblings, co-workers and make sure that official looking log in page to which you're about to respond is one YOU pulled up - not one that just happened to be there when you got back from that bio-break.

UPDATE: If you use Firefox with NoScript, version of said NoScript includes an experimental tabnabbing blocker.

Monday, April 5, 2010

PDF's are the new vector for malware - and now PDF worms are coming

I've ranted in the recent past about PDF vulnerabilities based on exploitable holes or embedded javascript.

Now comes the real warning about the near future:  A built-in feature inherent to the PDF format can be used to run arbitrary code on your machine . . . without using javascript or any actual vulnerabilities.  The only mitigation is that Adobe at least asks the user if code might be run -- but some tricky social hacking can still cause unaware users to click OK on the wrong box.

Worse, another growing competitor to Adobe: Foxit PDF, does not even warn the user that code is about to be invoked.  It just quietly lets the code run without any user interaction!

For a YouTube video demo of this nasty feature in action:
PDF: Launch a Command

For a downloadable test to try your luck with your favorite third party PDF reader see:
Escape from PDF credit to Didier Stevens.

And for the extension of this logic towards the inevitable PDF driven worm, see:
Are PDF's Wormable?

YouTube Video: PDF Worm Demo - No JavaScript Required

The authors are not releasing the method, but I can tell you that once the concept is released, which it has been, someone on the wrong side will figure it out soon enough.

Adobe, Foxit and other PDF reader providers need to look into this ASAP.

Edit: Thanks to theweaselking in the comment below -- Foxit Reader has an update that will change the behavior to match Adobe's product in this scenario. If you use Foxit make sure you've accepted the latest updates.

Of course - I would rather have three changes from both companies.

1) Make the message that asks the user for permission immutable.

2) Give us an option to turn off the third party viewer feature entirely -- just like we can turn off JavaScript in the Preferences. Such calls from within a PDF would be totally ignored.

3) Bonus! How about fixing Adobe and Foxit so they run properly as a Low Integrity Process in Vista and Windows 7 (and Windows Server 2008 / R2.) Mandatory Integrity Control in Win 7 and Vista works very well as another barrier to malware by forcing high risk processes to run at lower permissions than the OS. Unfortunately many popular utilities that should be considered high risk do not take advantage of this feature.

Thursday, March 18, 2010

"We're suing you" spam technique tries to get you to open infected attachments

It's my understanding (but I'm not a legal expert) that if you were actually being served as a defendant in ANY legal action, you would be getting physical paper delivered to you one way or another.

Email legal summons? I don't think so.

Real law firm, fake spam email, real virus. See the Wall Street Journal article.

This might also be construed as a denial of service on the actual law firms phone lines . . . I can't imagine the pain those guys must be feeling as their phone rings off the hook.

Tuesday, February 23, 2010

Dear NVidia . . .

I don't want your stupid PhysX driver, nor do I want your "3D Vision Discover Driver."

Please give me the option during a driver update to not install those components in the first place.

At least I can uninstall them separately after the fact, but it's extra work for me and my clients. (And usually a second reboot before I can get back to work.)

- meh

Saturday, February 13, 2010

PDF Vulnerabilities, Adobe, Critical Updates and YOU

For some time I've dreaded going through the update process for Adobe Reader and Acrobat. Let's face it; the process is painful and can take a long time if you don't have super-high-speed broadband.

But in the last year being current on Adobe patches has become as important as being current on Windows patches.

Last month we saw an explosion of exploits that entered the victims machine via malformed PDF files. Adobe patched Acrobat and Reader versions 8.x and 9.x to close that exploitable vulnerability in the middle of January.

Now it's one month later and we have a new vulnerability that's already being actively exploited by malware distributors. Adobe will be releasing another new update to block it this coming Tuesday, Feb 16th.

As painful as it is, if you accept PDF's via email or view PDF's on the Internet via any browser - you need to be completely up to date to protect yourself.

If you've been letting Adobe's auto-updater run and accepting updates when it offers them - the pain won't be too bad. If you turned it off in the past, or have ignored the update requests - then you've got up to an hour or so of updates to get through. I suggest you start now, then check again Tuesday night or Wednesday morning for the new patch when it's released.

Here's the painful part if you're behind:

1) If you are running any version older than 8.x, you need to upgrade NOW to 9.x. Get thee to and download the newest Reader. (On a side note, while you are there, update your Adobe Flash and Shockwave plug-ins for your browser too!) If you bought and use Acrobat 5, 6 or 7 -- it's time to bite the bullet and get the newest version. Remove that old version completely . . . seriously. However there are alternatives that are more affordable. (See the list at the bottom of this post.) If this is you, be sure to completely UN-install the older version first, and reboot even if you are not asked before installing the new version.

2) Open Reader and click the Help, Check for Updates option. (If you're running Vista or Windows 7 you need to right click the Reader icon and "Run as Administrator" first.)

3) Allow the update to download and install. Reboot if asked, no need if not asked.

4) Repeat from #2 until you finally get the message that there are no new updates.

5) If you have Acrobat, repeat the entire process for that as well.

I just did this to a new clients old machine -- it took about an hour to download and install ALL the updates to bring his copy of Acrobat 8.0 completely up to date. It required two reboots. It required several iterations of steps 2 through 4.

My rant: Why can't Adobe provide roll-up updates that would bring any version of 8.x or 9.x completely up to date with one download and install cycle!? I mean jeez, join the 21st century already would you Adobe?

Now: if you have an ancient version of Acrobat, you should know that there is no need to pay Adobe 450 bucks or more to get the ability to create or edit PDF files. Gone are the days of their monopoly on the format. Here are some alternatives that range from free to "less expensive than Adobe" depending on your usage requirements.

If you need to create (but not directly edit) PDF's from any program you can use that programs Print To function using the excellent and free CutePDF Writer. It installs and behaves like a printer, but instead of paper it "prints" to a PDF file in your Documents folder.

If you own Office 2007, and you need to create PDF's only from Office programs, then you can download and install the free Microsoft Office 2007 Save as PDF or XPS add on directly from Microsoft's download site.

If you need to edit, merge, create forms and just about any other creative task relating to PDF's I suggest either CutePDF Professional or the new "Foxit Phantom PDF Suite". They both include page sizes for all professional fields, load very quickly compared to Adobe Acrobat Professional, and do not (yet) have the security problems plaguing Adobe products. (That may change if they become a big enough target.)

And of course, you could always get the latest version of Adobe Acrobat.

Compare features and price, do your research, and decide.

Sunday, January 17, 2010

New attack vector via IE may prompt out of cycle hot-fix from Microsoft


“The dangerous Internet Explorer [ exploit ] attack code used in last month's attack on Google's corporate networks is now public.”

Short summary of action items:

If anyone you know still uses IE 6 or 7 – for any reason – get them to upgrade ASAP. IE 8 might be vulnerable on XP, likely not on Windows 7 at default security settings (although if the end-user has lowered security defaults on the Internet Zone, or turned off Protected Mode, then all bets are off.)

Firefox 3.5.7 with current versions of the NOScript + Adblock Plus plugins installed and properly used by the end-user is a fairly safe browsing tool.

Not browsing the web until a hot-fix is released is not likely a satisfactory solution, but tempting none-the-less . . .