Security Fix Blogger
Friday, January 6, 2006 11:00 AM
Security Fix blogger Brian Krebs was online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.
A transcript follows.
Brian Krebs: Hello, everyone, and welcome the first Security Fix Live chat of 2006! It's a relatively light day for questions so far (I'm guessing it may be due to some reader fatigue from all this MS patch craziness over the past week) so if you've been anxious to get a security-related question answered, now may be a good time to submit it. In the meantime, I'll get busy answering the ones we've already received.
Tampa, FL: Re Firefox 1.5 allowing software installation:
I recently installed Firefox 1.5 on my Mac and on my sibling's Windows PCs; we had used Firefox 1.07 previously. Earlier versions of Firefox required you to click "Allow sites to install software," but this useful security feature seems to be missing from Firefox 1.5. I've looked everywhere in Firefox Options (Windows)/Preferences (Mac), but can't find it. Am I missing something?
Brian Krebs: Good for you, Tampa. Firefox 1.5 streamlines quite a few things about the browser from previous versions, including automatic security updates.
To answer your question, the Mozilla folks have tweaked things just a bit, but you fiddle with installation settings by going to Tools, Options and then click on the Content tab, and check the box that says "Warn me when Web sites try to install extensions or themes." You can also add trusted sites to the "Exceptions" tab to keep from seeing the warning box for those sites.
If that doesn't solve your problem, try going in to the guts of Firefox, by typing "about:config" into the URL field of the browser (without the quotes of course). Then in the "Filter:" tab just below, type xpinstall, and it should bring you to the right area of options. I have FF 1.5 installed and it prompts me whenever something tries to install, and my settings are: xpinstall.enabled = true, and xpinstall.whitelist.required=true. You can toggle the true/false settings but just double-clicking on the preference name. Try setting your browser to the same settings to see if that fixes it.
Newton, Mass.: I just recevied a "Windows Update" download that looks like "the patch." I thought it wasn't due out til Jan 11.
Brian Krebs: You might have missed yesterday's article and blog post , but Microsoft was going to release next Tuesday the patch for this flaw that worms and viruses have been exploiting, but they changed their mind and pushed it out last nite. So if you have Automatic Updates enabled, you should see one patch available for Windows to fix this problem.
Microsoft also plans to issue two more patches next Tuesday as part of its regularly scheduled patch process.
Walla Walla, Wash.: Brian,
Does the Ilfak Guilfanov patch need to be uninstalled after todays MS patch is complete?
Brian Krebs: No, it shouldn't have to be, but it's probably a good idea to go ahead and do that. You should be able to get rid of it by going to Add/Remove Programs and looking for something called "WindowsMetafileFix."
Rockford, Mich.: I installed the third party fix that you recommended and now installed the microsoft patch. How do I get the capability back to view pictures, etc. that the third part fix deleted?
Brian Krebs: Hi Rockford, thanks for your question. I answered this in the blog already, but here it is again, since I imagine there are plenty of others who have the same question.
* Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Phil Johnson, Oklahoma City: How do I know when my Windows XP system has been patched successfully?
Brian Krebs: Hey Phil -- Excellent question. Here's how you do that. Go to Start, Control Panel, the "Add/Remove Programs." Make sure the box at the top next to "Show Updates" is checked. After it's done loading all the programs installed on your PC, scroll down the the very bottom where all the updates should be listed. If this latest update has been installed, the last entry for Security Updates should be:
Security Update for Windows XP (KB912919).
Mine says it was installed on 1/6/2006. Hope that helps.
Newton Mass.: Your comment to Rockford Michigan..."A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box"
Don't you mean "the REGISTRATION" rather than the "Unregistration?"
Brian Krebs: Doh! Yes, you are right of course, Newton, Mass. The dialog box should confirm that the registration process has succeeded. Thanks for pointing that out: We just got a flood of questions and I'm trying to get to as many as I can.
Annandale, Va.: Brian,
It appears that Microsoft is no longer supporting Windows ME as with this latest security software patch released yesterday. Why is that? I purchased my Dell Dimension 8100 about 3 years ago. Is it time for a new computer??
Brian Krebs: Microsoft claims the problem that we've been writing about this past 10 days or so doesn't affect Win9x/ME, or at least it can't find any way that someone could exploit the problem on those machines. Whether they simply can't figure out a way to exploit it or whether it really is or isn't exploitable is up for debate: the fact is that no one is aware of any existing exploits that attack this flaw on Windows 9x/ME.
Re: how old is too old....I get this question a lot. I've seen so many problem machines that are running Windows 9x/ME that it's hard for me not to recommend that people upgrade or switch to another OS. Despite the recent craziness with this WMF flaw that affected even fully patched WinXP/2k/2003 systems, the new Windows operating systems do have quite a few more checks to make sure things aren't misbehaving on the system. I would say three years is a decent run for a desktop PC: the improvements in speed and performance alone that today's hardware and software can offer over three years ago (if you've got ME on that machine I suspect the machine is probably more than three years old) then that's two doublings of processing power a la Moore's Law, and may alone be worth the upgrade, especially if you do more than just word processing and sending e-mail and browing the web (i.e. gaming, graphics applications, etc.)
Sacramento, Calif.: I stay current with MS updates as well as the latest virus definitions with Norton and have never been infected with a virus. Am I just lucky?
Brian Krebs: No, you're not just lucky: you're doing things right. If you use a firewall, stay up to date on patches and anti-virus definitions, and browse the Web with Firefox, chances are you will have little to worry about. It's amazing how many people can't get this.
I'm not saying you're totally insulated from threats if you do the above (as of course this latest MS flaw shows) but you do have take a measure precaution and exercise common sense. For instance, even if you are doing everything right from a security perspective as a Windows user, if you or some who uses your PC happens to click on a file attachment or malicious link in an instant message, you could find your PC in a world of hurt really fast.
Takoma Park, MD: Hi--I posted a question earlier but am reposting to clarify my understanding. Is the "unofficial" third party MetaFile Vulnerability update, which you can one can remove through Add/Remove Programs, the same as the routine for which you suggest Start> Run> regsvr32 %windir%-system32-shimgvw.dll? Which of your suggestions is the "operative" one? Thank you.
Brian Krebs: The third-party patch is different from the registry hack where you type the "regsvr32" stuff. If you have done the registry hack on your Windows machine, chances are you have noticed you can no longer view certain images in Windows Explorer, e.g. After you've applied the Microsoft patch for this flaw, if you have done the registry hack, undo it using the instructions I already posted above. If you have installed the third-party patch as well, you should use the add/remove programs instructions to get rid of that too. Clear?
Falls Church, Va.: I work for an information security group and I was just wondering how you think the next big virus outbreak will spread? And do you think that PC users will ever get on board and understand the value there is in keeping their systems updated?
Brian Krebs: I believe instant message will soon catch up with if not surpass e-mail as the leading vector for computer worm and virus outbreaks. This may even happen by the end of 2006 or early 2007 is my guess. I could be wrong there: you never know what unknown communication technology will pop up in the meantime: still, it usually takes a while for online threats to migrate to a new distribution medium.
To your question about users, I think you can break down the class of Internet users that you described into a few categories: many are "once bitten, twice shy" type users, that need a serious infection from a computer worm or spend an entire weekend reformatting their hard drive and trying to recoup lost data before they realize the value of preventative security.
Then, there is a second category of casual PC users who know that they should apply patches, use a firewall and anti-virus, and maybe do one or two of those things but almost never all three. According to a recent study from the National Cyber Security Alliance, about 80 percent of Internet users fall into that category.
The last category of users are the real hard cases: the people who for whatever reason cannot be bothered to spend any time on securing their PCs. They steadfastly refuse to install patches (or bundles of them via "service packs"), and never update or renew the anti-virus program that came with their PC. These people are constantly at war with their machine (and probably feeding the bad guys a steady flow of personal and financial info), and many of them - from personal experience - are intelligent, educated people who feel they simply don't have time to deal with it. A lot of these folks like to just buy new PCs and laptops when the old ones get too bogged down with digital crud.
The short answer to your question is this: thousand of new, inexperienced Internet users come online each day. Almost never when someone buys a new PC from the store or online are they given information or warnings about how to safeguard the machines. Most will simply upack the PC, plug it straight into their Internet connection and start surfing. According to the SANS Internet Storm Center's most recent stats on Windows PC survival time (http://isc.sans.org/survivalhistory.php), those people will be infected with SOMETHING within about 27 minutes of going online.
Jack, Boston: Will Microsoft make this patch available to non-registered Windows users, a.k.a. Pirated Software Users?
Brian Krebs: As I understand it, if you have Automatic Updates enabled it shouldn't ask you to validate your copy of windows just to get the patch. I believe that only is required if you visit the Windows/Microsoft update site and try to update manually.
Washington, D.C.: I'm selling a couple of computers and want to make sure that all of my personal information is wiped off the computer. I plan on using StompSoft's Drive Washer. Unfortunately I have been unable to find any reviews for this product. Do you know whether this is a good product or should I go with something else?
Brian Krebs: Hi there. I blogged about this very topic a few months back. You can get to that entry by clicking here . Check the comments section at the bottom of the post for some more helpful tips on software etc. from Security Fix readers.
Germantown, Md.: I am the new owner of an Apple PowerBook. My understanding is that Apple's are more secure with respect to viruses, but what other measures should I take to make sure I'm secure, I'll be using an AirPort Express base which has a built-in firewall. Do I also need anti-virus software?
Brian Krebs: With a Mac, you are already most of the way there, security-wise. For any recent Mac user I would just say make sure the firewall is enabled as you say, and that there aren't any unnecessary exceptions to the firewall rules allowed.
I may also be a good idea to make sure the computer is configured to automagically fetch new security and software updates from Apple.
Reasonable people will disagree over whether Mac users need antivirus protection. If there are any viruses going around these days that affect Macs then I'm not aware of them, but then again you can't be too careful: Macs are gaining in popularity, and as the user base grows, so too will their attraction to the bad guys as complacent targets.
My suggestion would be to download and use a free antivirus produce for Mac, from ClamAV. In my experience, ClamAV has an outstanding record for staying up to date on the latest viruses and worms, even better than many of its commercial peers. Check out ClamXav.com for more information on this.
Lastly, you'll probably want to harden the user/keychain that Mac uses to protect your personal files in case your precious Powerbook falls in the wrong hands.
Anyway, most of this stuff I mentioned (and some other things I didn't) you can find more information on here .
Alexandria, Va.: This latest MS brouhaha has consumed all the attention recently. What other big security news has there been that you haven't gotten a chance to mention on your blog?
Brian Krebs: Haha! Nice try. I work pretty much all day/all nite, and if I see something that amounts to "big security news" that I think affects our readers in an important way, well, then I blog about it. Not saying there aren't other things I could have blogged about had this MS flaw not reared its head, but so it goes.
At any rate, there area few research projects I've been working on for the new year that will make their debut shortly in Security Fix, so stay tuned and check back daily (or even better -- several times a day!)
Burke Va: Will retry as not sure first one went out. Had Norton Updated, windows firewall on, still have virus. I called ms and they had me download four things (smitrem,stanger(sp)spybolt,ms antispyware) I installed their fix,ran all and di your thing with ms type in run still have virus? anything else I can do?
Brian Krebs: Burke, unfortunately, your problem is beyond my ability to diagnose in a forum like this. There are too many unknowns. I would strongly suggest taking your query over to the able and willing folks over at DSLReports's Security Forum . Just be sure to read and follow the instructions in their Help I think My computer is infected! FAQ there about steps to take BEFORE you ask a question. These guys rarely fail to find the solution, I've found.
Vancouver, BC : When you buy a new computer, or if you decide to reinstall Windows on a computer, you have to patch the system first thing, but you have to go online to do so, opening up your machine with security holes before the patches can be applied (as it takes a while to download the updates from MS). Any way around this?
Brian Krebs: Hi, Vancouver. Thanks for your question. You could download all of the patches from Microsoft's site and save them on a disc before reinstalling. But that's probably more trouble than it's worth. If you're running Windows XP, it comes with a built-in firewall that should be enabled by default when you first start it up. Provided you do nothing from the time you plug it into the 'Net except go to Microsoft's Update site and get the patches you need, you should be in good shape. I may take a few reboots and subsequent re-visits to the patch site to get everything you need, but as long as you resist the temptation to go surfing around the Web while you're downloading fixes, there's probably not a lot to worry about. Obviously, you'll want to make sure to get the other stuff (a REAL software firewall and updated anti-virus) in place as soon as you're done patching.
Stafford, Va.: Regarding the unofficial third party MS patch; I thought Windows was a closed source OS. How could anyone outside MS write a patch that altered the functionality of such a program? Unless, did the patch make registry or other administrative changes to protect the vulnerable program rather than alter it?
Brian Krebs: Nice question. Windows is of course closed source. But keep in mind that an exploit (w/source code included) was released for this vulnerability, and any time that happens it's not rocket surgery to find out from looking at what the exploit attacks which areas need fixing. Not saying any old progammer could do it - just that when you have an exploit point a big honkin' sign at the problem area, it makes it a lot easier to develop something that addresses or band-aids the flaw.
I'm pretty sure you can't install the third-party patch w/out being logged in as administrator (which most windows users are by default) but maybe I'm not totally getting the point of that question.
Washington D.C.: I feel that unofficial Windows patches are a bad thing. My primary concerns would be that it changes the gut feeling people have upon receiving mail telling them to install patches from "this might be fishy" to "it worked last time, so why not try it". I.e. it helps those who take the social engineering vector.
Brian Krebs: You hit upon a real raw nerve of many in the security community. That is precisely what made this whole issue of the community recommmending that people install a third-party patch such a big deal: normally, they tell people to just ignore anything that does not plainly come straight from Microsoft, b/c the bad guys try to disguise their malware as patches from Microsoft all the time -- it's one of the older tricks out there.
We willl see if your assumption is correct -- that by waving the normal admonitions that maybe more people will be succeptible to those kinds of tricks in the future. I sure hope not.
Grand Rapids, Mich.: I installed the third party fix earlier. Now I went to find it in my add remove programs and couldn't find it to remove it. So I then went to run and typed in the string you mentioned. I get an error back saysing the parameter is incorrect. How do I know that I have done everything correctly?
Brian Krebs: Grand Rapids, see my answer to a similar question above. I think you may be conflating two issues here: One is the patch, and the other was the registry-fix workaround (un/re-registering the .dll file). If you did not previously unregister that .dll file, there is no reason to go back and re-register it. If you did unregister it and are getting an error back when you try the instructions to re-register it, double check your typing (and leave out the quotation marks!).
Washington, D.C.: Uh, Brian, the firewall in XP SP2 is a REAL software firewall.
Maybe because it doesn't do outbound filtering, you think it isn't REAL? Vista will out an outbound filtering firewall, but the inbound filtering firewall in XP SP2 is more than enough to well, keep things OUT.
Brian Krebs: Wow, I guess I touched a nerve there. Of course Windows XP's firewall is capable of keeping things OUT of your machine, but that - as you acknowledge - is only half the battle. What you really want is a firewall application that lets you take control over traffic going both IN and OUT of your machine, and for that, I'm afraid the current Windows firewall doesn't cut it.
And as for Windows Vista, great! But as there probably aren't too many Security Fix readers out there running the Vista beta right now, that seems like kind of a hollow consolation.
Brian Krebs: Thank you, dear Security Fix readers for making this another successful chat! Again, I was unable to get to all of your questions, but I have saved some of them so that I can answer them in the next Security Fix Live chat on Jan. 20 and 11 a.m. Until then, see you on the blog !
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.