Megapatch for Windows: Do Not Ignore
Two of the most serious attacks could happen right under your nose.Stuart J. Johnston is a contributing editor for PC World. Click on the link for more Bugs and Fixes columns.
Illustration by Robert Neubecker
I urge you to install this superpatch as soon as possible. Here's why: Last month, I reported that the lag time between the release of a patch and when crackers come up with code to exploit the hole has shrunk dramatically (see "Worms Come Faster: Are You at Risk?"). Two of the critical holes illustrate this trend.
The recent Sasser worm, created in less than two weeks, employs one of the six critical holes to infect PCs. Users reported that their systems were rebooting unexpectedly after infection. The hole is in a part of Windows XP and 2000 called the Local Security Authority Subsystem Service, or LSASS, which verifies who should be allowed to use your PC locally and, in some cases, remotely over the Internet (see "Sasser Infections Hit Hard" for details). What makes Sasser and its variants so worrisome is that you don't have to do anything, such as click a link, to be infected. Merely failing to protect yourself in the first place puts you in harm's way.
Microsoft has also patched a weakness in its version of Secure Sockets Layer, or SSL--the main technology that is used to keep online transactions private. Crackers took less than a week to create exploitative code based on the patch. Again, you don't have to click anything to unleash the attack. In fact, you don't even have to be in the middle of an online transaction.
So far, only a small number of "break-ins" have occurred (see "Attack Code Targets Windows"). But it's only a matter of time before someone attaches the attack code to a worm.
Jump to Microsoft Security Bulletin MS04-0118 to grab Microsoft's big patch. This is a case where the early bird just may be lucky enough not to get a worm.
However, as if Sasser and the other threats weren't bad enough, there's a problem with the big patch itself: Some Windows 2000 users have had trouble logging onto their machines after installing the update. Visit Microsoft Knowledge Base Article- 841382 for a link to Microsoft's hot fix--and for specifics on when you should apply it.
Office XP Service Pack 3 Now Available
The latest service pack for Office XP (aka Office 2002) provides all the patches (security and otherwise) found in SP1 and SP2. To these, Service Pack 3 adds all updates after SP2 up to March 30, 2004. So if you've been slow to get earlier service packs, now's your chance to get up-to-date in one fell swoop.
SP3 includes a long list of hot fixes that eliminate a hodge-podge of minor, but sometimes maddening, quirks, such as items in the Outlook calendar that seem to duplicate themselves.
The update is available in two different sizes: big and humongous. You can use the 16MB version if you have your Office XP CDs handy. If you don't, you'll need the industrial-strength version that comes in at a hefty 60MB. Ouch.
Hop to Office XP Service Pack 3 (SP3) to download either one. Or visit Microsoft Office Online to order SP3 on CD for free.
In Brief
Slip Happens
Microsoft has announced that it will not release Windows XP Service Pack 2 by the end of June after all. Because of testing issues, the release date has been moved back to July or maybe even later, the company says. Go to "Windows XP Service Pack 2 Delayed" for Microsoft's brief explanation.
Nastier Worms
New twists on the Netsky and Beagle worms scored 3 on Symantec's severity scale; most worms are rated at 1 or 2. Update your antivirus definitions by using Symantec's LiveUpdate or McAfee's VirusScan.
Bugged?
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.