Horse Sense #51

Feel More Secure

In this newsletter you'll read about new security developments:
 

(1) Seagate enhances its drive warranties

(2) Internet Explorer is deemed unsafe by the Department of Homeland Security and what you should do about it

(3) Windows XP Service Pack 2 will make you safer--but apply with care

(4) How to keep your system properly patched using Microsoft patch sites

 
Seagate Enhances its Drive Warranties
 
Seagate has extended the warranty on all of its drives to 5 years.  Not too long ago, many of the hard drive manufacturers lowered their warranties from three years to one year on many of their products to cut the cost of those drives.  Seagate's announcement shows that they think their drives won't fail.  It is an obvious marketing move to differentiate itself from its competition, but this announcement does give customers the "warm fuzzies."

 
DHS says Internet Explorer is Unsafe
 
The Department of Homeland Security through its US Computer Emergency Readiness Team (US-CERT) finally agreed with us at Iron Horse and declared Microsoft's Internet Explorer browser unsafe.  We recommend fast, safe browsers like Firefox http://www.mozilla.org/ .  Opera www.opera.com and Netscape www.netscape.com are other reasonable alternatives.  We use Internet Explorer only at sites that require its proprietary functions, but are increasingly using NetScape or Firefox whenever we can.  You can see numerous news stories by typing in "Internet Explorer" and "Homeland Security" on Google, but here is a pretty good reference article that also talks about flaws in Microsoft's Internet Information Server (web server). <broken link>

 
Microsoft has had to issue numerous patches to both its operating system and the Internet Explorer browser to protect against vulnerabilities in the code.  The root problem with many programs today is that they are written without security in mind.  They are also written with programming tools that are unsafe.  For example, commonly used programming languages have no compile time or run time error checking.  That means that you can tell the computer to write to position 100 when only 10 positions should be allowed and it will do it.  Unless the programmer has specifically written code to check for invalid values or the compiler or operating system can detect an out of bounds condition, the system, programs, or data can be vulnerable.  Microsoft's system of DLLs load entire libraries of code rather than just a small portion that might be needed.  Functions within these libraries may be dangerous under certain circumstances.  You get the idea.  The only "safe" computer is one that is off, but many program designs, tools, and methods are inherently unsafe.

 
Windows XP Service Pack 2--Apply with Care

On 8/10/04, Microsoft released Windows XP Service Pack 2 to help address security flaws.  This is an enormous download for administrators at over 250 megabytes.  If end users have autoupdate turned on, they will pull the update down gradually.  You can see more information about Service Pack 2 here: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx .  Most people should wait to install this enormous patch.  In fact, we caution all systems administrators to delay applying this patch until they have fully tested their systems and applications for compatibility.  New security technologies like an enhanced firewall that is on by default (the old one was off by default) could cause applications to fail.  In fact, even some Microsoft applications will fail.  We advise our customers to try this update on their least critical systems or on prototype systems for compatibility.  Because new security features will change the way the computer behaves, we expect a great deal of confusion and a flood of help desk support calls.  We recommend that organizations consider training employees on the new features of Service Pack 2 before they see them on their desktop.  Not all vendors have been able to integrate their products completely with this service pack.  For example, some antivirus programs may look like they are not running in the new Security Center, when they actually are running:  http://www.symantec.com/techsupp/enterprise/sp2/faq.html

 
Because product patches have appeared so frequently from Microsoft, most security professionals have recommended that Auto Update be set to automatically download and apply critical operating system and browser patches to protect users against attack.  Windows XP Service Pack 2 is considered critical as well, so Auto Update will automatically update the system.  This may cause confusion when the new capabilities are enabled.  Your system will become safer and more stable, but it will behave differently.  Computer Reseller News thought resellers should "Install with Care" (testing was prior to the release of the gold code of Service Pack 2).  At this point, Microsoft hasn't announced a timetable for the delivery of Windows XP Service Pack 2 through its Automatic Update Service.  Systems administrators will want to test their systems and applications before this happens, set their systems up so that the update travels only once over the Internet and then from a local machine to local systems, arrange necessary training, and, perhaps, block this update until all necessary testing can be performed.  Expect the distribution of Service Pack 2, at an estimated 80-100MB per workstation, to put a considerable strain on the Internet and on many corporate and governmental networks, slowing work.

 
Iron Horse recommends applying this service pack to your systems AFTER adequate testing.

 
Upgrade Tips

If you've never visited Microsoft's popular update sites, try windowsupdate.microsoft.com to check for updates to your operating system and drivers and officeupdate.microsoft.com to check for updates to Office.  When patching Office, be sure to have your CDs handy as the upgrade installation process will demand them.  Be aware that Microsoft's connections to the Internet will be extremely busy because of all the patches and service packs being downloaded.  As of this moment, Microsoft hasn't posted Windows XP Service Pack 2 to the windowsupdate site as this is an end user site.  It is available to computer professionals who want to test for compatibility and to manufacturers building new systems.

©2005 Tony Stirk, Iron Horse tstirk@ih-online.com