Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /var/www/hosts/cases/inc/refcount.php on line 23
CASEScontact - solutions, tools & skills against latest security, cybercrime, hacking & malware threats
Just the facts
     
Title   Windows XP 101 - PART 2 - Paris Hilton Knows CyTRAP's THREE Rules for Better Securing her PC with Windows Update
Description   Using Windows Update the smart & better way for improved protection & less work
CyTRAP LABs ID   CT210009
Date   2005-10-24
Systems affected  
Select language  
Version number   1.0
ISSN   1603-9866
Verify tip   http://casescontact.org/tips/210009
Risk assessment   High
Impact/Severity   High
Audio/Podcast files  
  • English - CyTRAP ID CT210009
  • Deutsch - CyTRAP ID CT210009
    •  

    Why not get new tips and alerts by e-mail directly to your in-box? It's much more convenient:

    Your email: or press here.
     

    What's up?
         
       
    Real life scenario Internet & PC scenario
    What is the threat or vulnerability?    
    Some people go by the wisdom if it ain't broke do not fix it. While this can be a bad strategy in most instance we proceed using an approach similar to:

  • write a draft paper or create a test
  • test if it works, then
  • proceed if it works.

    • While this may apply with the new bicycle you purchase, things are not so clear cut with software. The rule of thumb is that a very good programmer may have

  • 5 errors for
  • 1,000 lines of code.

    While one or two bugs may be discovered during the quality assurance process before the bicycle leaves the factory, this is not the case with software for various reasons that go beyond the focus of this tip.

    		• Some software patches can make things worse, not better. Sailors know that if a ship is going down, you do not drill a hole in the hull to let the water out.

    Because the Windows Operating System (OS) must interface with so many devices, it is natural that some things can go wrong.

    Considering that Windows has just about 5 Mio lines of code, mistakes do happen. Hence, updates to patch such newly discovered vulnerabilities are necessary.

    Please check out our previous tip on how to better work with windows here called

  • UPDATE 1 - Windows XP 101 - PART 1 - Grandma's Tricks - Regular Service & Tune Up ==> Turbo Charge XP
    •  
     

    Problem & Solution
         
    Admin  

    We appreciate you looking at one of our alerts. However, to assure that you have the latest version in front of you, please always click the link above to visit the website, because small changes are made without e-mailing the alerts out again

    Please share this information with your colleagues, because they will appreciate it very much.

  • You can receive these advisories directly in your e-mail in-box - subscribe now - you will be glad you did
    •      
    What does it mean to me? Am I vulnerable?  

    So why should you care about the Update services for Windows? Because:

    A) The Threat may come in a variety of forms, including malicious code exploiting a known vulnerability (see also below).

    B) Vulnerability is that if the system is not properly patched, it may exacerbate risks one is exposed to when using the Internet such as viruses and worms.

    C) Impact is severe if the malicious user gains access to one's operating saystem. Other problems can arise that software now longer functions properly considering that Windows Operating Systems crash 30 billion times, because you want to avoid belonging to this group of frustrated users.

         
    If I fix the problem - will it help me?
    How    		  

    The best defense is following good security practicesto get a triple benefit by:

  • saving yourself grief (i.e. not having to discover that your operating system no longer runs correctly),
  • not installing a patch that creates another conflict, since this happens quite often, you may want to check out this source Before patching make sure that the patch works properly - suggestions from experts including Microsoft, and
  • saving time.
    •      
    How can one describe the solution?  
    Good security practices and effective risk management help to minimize the amount of problems you may get with patching your system(s). These steps include, but are not limited to:

  • Windows Update 101 - THREE Basic Rules to Follow

    Rule 1: You should regularly update any program you depend on for security, such as:

  • an anti-virus program - get one for free here or,
  • your computer's personal firewall - get one for free here.

    Unfortunately, the scum of the Internet keeps up to date; you can't afford to let them get ahead of you.

    Rule 2: When it comes to programs that are not related to security:

  • if it ain't broke, don't fix it.

    • The new software version is probably slower than the old one. And although it isn't likely, the latest update could create a conflict that wasn't there before. So upgrade only if you really need to--or if, because of some neat new feature, you really want to.

    Of course, Microsoft Windows and its gaggle of associated programs (Internet Explorer, Outlook Express, Media Player, etc.) require a rulebook all their own as listed below.

    Rule 3: When it comes to Automatic Updates

    experts advise that it is wise to wait and see how a particular patch works before installing it. For corporations this means the patch is installed on a few isolated machines to see if it runs properly. The UK's Department for Work and Pensions' systems was paralyzed for 4 day because it failed to follow this best practice approach in Nov. 2004.

    Hence, do not use automatic updates and install option, see below under Where can I get more help? that explains succinctly what you should do instead and why.

         
    Does Microsoft offer me a solution?  
    Microsft offers you several solutions that will help in making sure that your system is patched properly, if you wish the check, follow our step-by-step description below and yes this will take 5 Minutes but its well worth it:

    A) make sure you run Windows Explorer 5.0 or higher for this excercise, it will not work with another program. Start by visiting this site:

    B) Then the system comes and says:

    "Checking if your computer has the latest version of Windows updating software for use with the website…

    The website uses ActiveX controls to determine which version of the software your computer is running. If you see an ActiveX warning, make sure the control is digitally signed by Microsoft before installing it or allowing it to run."

    If you get the above message you have to do the following:

  • Click on Tools, Internet Options, Security, thereafter:
  • Click on Sites and under Add this website to the zone, copy and paste these website addresses:
    1. http://*.update.microsoft.com
    2. https://*.update.microsoft.com
    3. http://download.windowsupdate.com
    Please remember the following:
    1. You can only add one address at a time and you must click Add after each one
    2. You must add all three sites to make it work properly
    3. Make sure that you do not copy and paste empty spaces at the end of these links and add the URL this way, the program will come up asking you to install these trusted sites again...
    If you get an error, re-paste the three sites without making the most likely error again by either having empty spaces at the end of the link or at the beginning of any one of the three. If you want to see how IE is set-up correctly,

  • check out this SCREENSHOT here ==> Setting Internet Explorer up to Visit Microsoft's Update website

    FINALLY, please make sure that this box is NOT marked

    ==> Require server verifications (https://) for all sites in this zone

    When you have added the above links and unclicked in server verifications,

  • click on add, then okay

    This will will connect you to this site:

  • Update Windows Operating System,
  • it will then detect your language setting and come back with a link similar to this (e.g., English) Language version
  • if you need to check for Office updates you can do this Office updates
    •      
    Where can I get more help?  
    The text below will provide you with some additional hints including tools and tricks to:
    1. minimize the risk further, and
    2. keeping you safter with the help of tools ==> just in case. Below we outline some more help and support you can get regarding choosing the best way for getting Security Updates from Microsoft.

      Being now on the site for checking regarding updates we have made

    3. another SCREENSHOT here ==> that shows you How Microsoft's Update website looks like in English and Deutsch

      On the right side of the browser window, there will be a box saying something similar to:

      Automatic Updates: Turned ON (most users will have it Turned On or Turned Off).

      Your computer is set to receive security & critical updates automatically.

      Pick a time to install updates.

      Click on this link and you see a pop up window that looks like this

    4. Automatic download and installation when patches become available
    5. Download updates but let me choose when to install them
    6. Notify me but don't automatically download and install
    7. Turn off Automatic Updates

      We advice you to choose the following (more explanation see also the rules above):

      1) if you are a trusting person, with a broadband connection ask the system to:

    8. Download updates but let me choose when to install them

      2) if you are really the cautious type we advice you to choose.

    9. Notify me but don't automatically download and install

      This way you can download the updates that are sometimes huge when cheapter rates apply & faster downloads are possible (e.g., if metered phone connection - early morning, weekend) and, as importantly, being 2 days later might allow you to get a patch that was already fixed again by Microsoft because some large customers reported conflicts and problems that forced MS to prepare a quick fix.

      Yes, see Rule 3 above, patches often do not work properly the first time around or a yet unkown software conflict might occur (imagine on your machine - making your system crash!), of little surprise considering how many thousand devices Windows must work properly with, little surprise that things might not go perfect...so why be the first?

     


    What is the solution to this problem ?
         
    Tip 1   Here click on Express updates this is the easiest way and it tends to only give you updates that are critical, usually security stuff only (see also Rule 2).

    If you want to see choose custom

    In both instances you get to a page called:

    Genuine Windows Validation

    That checks if your Windows Operating System is a licensed or pirated version. In case of running a pirated one, only security updates can be installed. Microsoft should be commended for this because it reduces the pain and risks for its customers since others, pirated versions would go unpatched, thereby possibly causing a nightmare for all law abiding and paying customers.

    If you have disable Active X options or set your firewall to stop most traffic, you may get: Validation Incomplete: Unable to collect enough information about your PC to make a determination.

    Reasons this PC Failed

  • The Windows Genuine Advantage ActiveX control cannot run properly.
  • This may be due to your internet security settings, or firewall software that you may be running.

    Actions

    Correct the problem listed above.

    If you believe your copy of Windows is genuine, then attempt to resolve the issue listed above and return to complete the validation process.

    If you get the above message you have to do the following:

  • Click on Tools, Internet Options, Security, thereafter:
  • Click Custom Level on the lower left
  • under Run Active X controls and plug-ins click on enable This will enable Windows to check, once done go back and under Custom level, click on Custom again and

    Disable Run Active X controls and plug-ins

    The above is a bit cumbersome, but if you use another browser for surfing and Microsoft Explorer for this regular exercise only... reduces risks...its advisable, otherwise you must disable Run Active X controls every time you go through this procedure.

    it might also be necessary to disable your firewall for this process only, I had to to allow validation.   

    •      
    Tip 2   You can now continue this process and after running the plug in, you should get this message: Validating Your Computer

    In order to validate your copy of Windows, additional system information is being collected from your computer.

    Note: This process does not collect information that can be used to identify or contact you.

    Click on Continue

    Please click Continue to complete the validation process. The system will then likely come back with a message similar to: The scan of your computer has completed and it appears that you are running genuine Windows. At this time we are unable to determine the manufacturer of your PC and in the future additional validation may be required. You may wish to verify that the PC manufacturer name that is printed on the Certificate of Authenticity (COA) matches the manufacturer of your PC.

    No further action is required at this time to complete your validation. Please click Continue.

    Afterwards you might be asked to reboot the machine and re-visit the site below:

    http://www.microsoft.com/genuine/downloads/RunHTA.aspx?displaylang=en&End=http%3a%2f%2fupdate.microsoft.com%2fmicrosoftupdate%2fv6%2fdefault.aspx&ReportSuccess=true&sGuid=891e9dd8-2f65-4c49-99a6-15692f68d010&referrer=default

    To get the updates, another strategy is to go to Tidbit 3 below and just download the whole batch at once without having to go through all this validation process.

    Microsoft prefers if customers use Automatic Updates, here no validation process is required enabling if non-licensed versions of Windows to get the critical security patches.  

         
    Tip 3   Want to use another free tool to check if your computer is infected?

    After dowloading this 0.8 MB tool from Microsoft, it checks your computer onceif it is infected by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps you in removing any infection found.

    If an infection is found, the tool will display a status report the next time you start your computer. A new version of the tool will be offered every month. If you want to manually run the tool on your computer, you can download a copy from the Microsoft Download Center or run an online version from microsoft.com. This tool is not a replacement for an anti-virus product. To help protect your computer, you should use an anti-virus product.

    More information for this update can be found at Office updates    

     


    Take another 2 minutes - More tricks to safeguard your information better
         
    Tidbit 1  

    What are the security reasons why I should not use the Automatic Update feature?

    We can think of four good reasons why one would not want to choose the Automatic Update option:

    Reason A) The patch itself may be flawed and may not do what it was intended to do. Being quick to download and install that patch (the benefit of Windows Update) is not always a good move. Microsoft has a long history of releasing patches (and software) that need more in-house testing. Those who adopt push patching will become inadvertent beta testers, and their systems will suffer (see the UK department) give link

    B) Many updates (Microsoft and otherwise) can result in unknown conflicts with other system services, third-party software, or hardware. It is tough enough to deal with this when you discover it through in-house testing. Now consider how much worse it would be if all of your systems got a bad patch simultaneously, and it brought down a large portion of your mission-critical systems.

    C) Someone at Microsoft might intentionally or accidentally insert destructive code or perhaps a back door into a patch that is pushed with Windows Update. Microsoft will say that this is farfetched and that it has many layers of protection designed to prevent this, but recall that Microsoft servers have been compromised internally in the past. Also, remember that just last spring, someone who claimed to work for Microsoft was able to obtain fraudulent digital certificates.

    D) If a home user does not have a broadband Internet connection. Even if all the other objections raised above wer not true, consider how much downtime you will experience with periodic large downloads being forced into your PC.

    Many Microsoft patches run into the megabytes. Since the download is a background task, this is not a problem if you have a huge pipe but if you run on a 56KB telephone line, a couple of multimegabyte downloads can seriously tie up a low-bandwidth connection.

       
    Tidbit 2  

    Do you want to change the way Automatic Updates are handeld on your PC?

    If you want to change your automatic update features you chose you can also get it from your System Tray, do the following:

    Click on Start, Control Panel, then click on Automatic Updates and you have the same click up window again, Click auf Start, Systemsteuerung,

  • Notify me but don't automatically download and install

    Is again the best option see Rule 2 and Where can I get more help for a rational for doing so.   

    • Tidbit 3   Just puchases a new PC and wonder if you need updates? Help is here

    There are several ways to protect your machine better before going on the Internet. One is to get all updates (cumulative patches) from one of the two links below. They are all in one package, meaning you can burn them onto a CD or save them on a memory stick and than install them on your new machine.

  • Complete update pack since SP2 with all patches included here - 60 - 80 MB download

    Please also check out this link for

  • Free utility for updating Windows OS on a newly purchased PC

       
    • Watch out  

    Running SP2 on Your PC - Are You Sure? Quick Check Offered by Microsoft

    SP2 was a big patch that was much about security for Windows SP and not much more but because of this its a real gem and Grandma recommends that you make sure that your system is patched accordingly.

    Get it here: http://www.microsoft.com/athome/security/protect/windowsxp/Default.mspx

    The screen will tell you at the top if your Windows XP is running SP2 - otherwise it will help you get it installed.

    Watch Out For Next Tip

  • When: 2005-11-22 - Tuesday
  • What: Wireless Hacks ...
    •    
     


    CYTRAP resources - check it out - because it will help you better protect yourself
         
    Related tips  
    Alerts  
    Glossary  

    Administrative
         
    Author   Urs E. Gattiker - CyTRAP Labs
         
    Revisions  
  • 1.0 - 2005-09-27 - First Version
    • Contact details   Web: http://CASEScontact.org
    E-mail: support01@CASEScontact.org

    Tel: +41(0)76-200-7778 or + 44(0)70-9237-6036
    Fax: +44(0)70-9237-6036, dial 3 send fax
     

    --END of ADVISORY - Important Info Below--
     
    We recommend that you VERIFY ALL ADVISORIES you receive IMMEDIATELY, by clicking on the link provided at the top of this alert.

    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    Ride the rollercoaster successfully by subscribing to our alerts, tips, tools and skills training receiving them either via:

    1) e-mail
    2) RSS feeds, or else, just get a
    3) free skills tune-up


    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    CASES writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
    Full DISCLAIMER notice at: http://www.casescontact.org/terms.php

    UNSUBSCRIBE
    If you no longer wish to receive this TIP ADVISORY, please Unsubscribe at:
    http://www.casescontact.org/unsubscribe.php

    QUESTIONS, comments, ideas? Cheer us up at:Tips-Comments at CASEScontact.org

    CASEScontact.org -- Threat Alerts and Security Notices --clear and precise, no compromise -
    --currently hosted by Flashcable
    -- END of TIP & Tricks ADVISORY--
    Copyright (c) 2007 by CyTRAP labs - Urs E. Gattiker. All rights reserved.