A New IE Security Rollup
Microsoft released a cumulative patch for Internet Explorer (IE) 6.0, 5.5, and 5.01 that combines security hotfixes for all previously identified vulnerabilities and six newly discovered problems. The new fixes
- remove a malicious user’s ability to run code as the logged-on user
- eliminate a loophole that permits a malicious user who knows complete filenames to read those files on the local system
- ensure that a malicious user can't spoof the filename from a file download dialog box
- close a backdoor that lets IE run scripts even if you've disabled scripting
- eliminate another version of the frame domain verification exploit that lets a user on a Web server read, but not change, files you can view with IE
You can download the cumulative Microsoft Security Update, q316059.exe, from the Microsoft Web site. To install the update, double-click the file or run it from a command prompt. You must reboot your machine to complete the installation.
Because most of the vulnerabilities are present in HTML code, a malicious user can exploit these same loopholes in HTML email messages in older versions of Outlook and Outlook Express. If you haven’t updated systems running Outlook 2000 or Outlook 98, you should install the Outlook Email security update that Microsoft released in June 2001. See the Microsoft Web site.
Outlook 2002 and Outlook Express 6 aren't vulnerable to most of the HTML-based exploits. For detailed information about the breadth and severity of the six new vulnerabilities, read Microsoft Security Bulletin MS02-005.
A Windows XP Dynamic Update
On February 11, Microsoft released six bug fixes that eliminate system hangs and blue screens that occur when you install Windows XP Professional Edition or XP Home Edition. The dynamic update corrects USB speaker and modem I/O problems, ASUS video adapter problems, problems that arise when you upgrade Compaq Professional workstations with Winnov Videum AVI video capture software, setup failures that result from several third-party hardware devices and applications, and data-loss problems that occur when you upgrade Windows Me and Windows 98. You can update your system online using XP’s Dynamic Update feature during or after setup. To download the update for local distribution, see the Microsoft Web site.
A New Version of the Hfnetchk Hotfix Audit and Reporting Tool
Hfnetchk is a comprehensive utility that audits and reports the status of Windows XP, Windows 2000, and Windows NT 4.0 systems. Hfnetchk examines the running version of Windows XP Professional Edition, Win2K, NT 4.0, Internet Explorer (IE), Microsoft IIS, and SQL 2000 and 7.0 and compares the running version against a catalog of all published hotfixes for the software. When a system isn't current, Hfnetchk itemizes the missing hotfixes for each component. The only hotfixes that Hfnetchk can't accurately report on are updates that Microsoft distributes with an installer that doesn't use the standard hotfix.exe.
Although this free utility doesn't download or install hotfixes, it's the fastest method that I know of for determining whether you need to update your OS and other applications. Hfnetchk includes numerous command-line options that let you audit one machine, a group of machines, all systems on a subnet, or all systems on the network and output the audit results in one report. If you haven’t given this utility a test drive, see Microsoft article Q303215 for detailed information about the extensive command-line syntax and Microsoft article Q305385 for the Hfnetchk FAQ. You can download the latest version (3.32), which Microsoft released on January 17, from the Microsoft Web site.
Hfnetchk has apparently become quite popular. Microsoft now maintains a public Hfnetchk newsgroup where you can submit questions and receive online support. To access the newsgroup, go to support.microsoft.com, place your cursor over Self Service Support Options in the lower-left pane, and click Microsoft Newsgroups. In the left pane of the Community Newsgroups page that appears, expand Security (the last entry in the list). The Hfnetchk newsgroup, Network Hotfix Checker Tool, is the second item in the Security list.
SPCheck—A Not-So-Hot Audit Tool
Several readers have asked me about the SPCheck utility, which Microsoft released in July 2001. When you run SPCheck on Windows 2000 or Windows NT 4.0 systems, the utility produces a report that enumerates the current OS's service pack number and reports on the service pack level for the following components:
- NT 4.0: DHCP Server, DNS, RAS, RRAS, SNMP, WINS, TCP/IP, NWLink (IPX/SPX), Exchange Server 5.5
- Win2K: DHCP Server, DNS, SNMP, WINS, TCP/IP, NWLink (IPX/SPX), Exchange Server 5.5
In theory, administrators can use SPCheck to audit the running version of the OS and the individual files and libraries associated with several commonly installed services. Developers can use SPCheck to audit the service pack level of files used by core services on test systems that produce unexpected results.
From a practical viewpoint, SPCheck has two constraints that severely limit its utility. The tool uses the descriptions in spcheck.ini to verify the correct signature and version number for the files that comprise each component. If Microsoft fails to update the spcheck.ini file regularly to include current signatures and version numbers, SPCheck can only report accurately on systems with older components. Because the .ini file is text-based, you can modify the signature and version number, but this manual approach is awkward at best and unworkable in a large network environment. The Win2K version I tested audits just one system, which limits its utility to a small lab or testbed. If you want to test SPCHeck, see Microsoft article Q279631 for information about downloading the tool.