Microsoft tells of even minor security flaws

THE BALTIMORE SUN

It's almost like a greeting from an old friend. You start up your computer, log on to the Internet, and up pops a little gray box:

"Microsoft Critical Update Notification: New critical updates are available for your computer. Microsoft strongly suggests that you install these updates now."

When you click the "View Updates" button, you're whisked to Microsoft's Web site, where you can download a fix for the latest Windows security flub.

I've seen plenty of these warnings lately. Last week, it was a fix for a critical security flaw that threatened my "Digital Certificates," whatever they are. The week before it was yet another security bug in Internet Explorer that could allow a hacker to take over my computer, and before that, a flaw in Office XP that could allow a script kiddie in Kazakhstan to burn down my house by remote control, or something like that.

All told, Microsoft has issued 48 security bulletins so far this year, and may well break last year's record of 60. That doesn't count security bugs that other people discover and make public before Microsoft gets a chance to announce them.

What's going on here? Are we risking life, liberty and property every time we turn on our computers?

The answer is no. And yes.

There's no question that Microsoft Windows and its primary applications have more holes than a prairie dog village.

This is the legacy of a corporate culture that developed around personal computers in the 1980s, when few PCs were connected to anything. The young Bill Gates and his Microsoft cohorts were hackers of the old school whose mission in life was to make computers do cool things and provide tools for developers and users who wanted to do the same thing. The notion that somebody might use those same tools to create mischief wasn't on anybody's mind.

Fast forward 20 years and we have hundreds of millions of personal computers that are connected - on corporate networks and over the Internet. Unfortunately, those computers run software that was the product of a stand-alone mindset.

Consider Internet Explorer and its companion e-mail programs, Outlook and Outlook Express. A Web browser by definition is a programming tool that allows an intruder to take control of your computer - albeit at your invitation.

In the best of all worlds, a browser should put strict limits on what a Web programmer can do. It certainly shouldn't let the Web page designer steal information, destroy files or plant programs that can take over your computer.

Although it never deliberately let that happen, Microsoft expended far more effort on adding new features and e-commerce tools to IE than it did on building defenses against hackers who might turn those features around for nefarious purposes. Over the past few years, hackers have figured out how to do just that.

Outlook and Outlook Express compound these security flaws when you display e-mail in Web page format. No longer do you have to visit a Web site to execute malicious code. All you have to do is open your mail or browse through it in a preview window. Moreover, because Microsoft has built so many programming "hooks" into Windows, it's relatively easy for virus writers to hijack Outlook to spread their work around the world.

Unfortunately, these are just two of the many security lapses that Microsoft has been hammered for over the past two years. Many others affect the servers that run corporate networks, e-commerce operations and Web sites.

Gates finally owned up to the problem in January, when he sent a rare message to all Microsoft employees announcing a new "Trustworthy Computing" initiative. Henceforth, he declared, the company's top priority would be security and user privacy - new programs and features would come second.

Indeed, Microsoft is cleaning up its act. When it finds a flaw, it generally fixes the problem, announces it to the world and - if the bug is serious enough - invites users to download a fix.

Which raises another question. How serious are these security bugs? They're certainly treated seriously in the press when Microsoft itself calls them "critical."

Since I've never been bitten by one, I called the best professional troubleshooter I know, Marc Seidler, and asked him how often he encounters the problems these fixes are designed to prevent. Seidler, proprietor of a local consulting business known as The Computer Doctors, has operated on thousands of troubled PCs in businesses and homes over the past half-dozen years. He regularly monitors Microsoft's technical Web sites, which he says are excellent.

"I have never seen one of these sort of security issues" in a client's computer, he said.

"Most of these things are discovered in the lab," he added, and many are important mainly to large businesses with sophisticated networks.

"But if you're sitting at home and have Comcast or DSL [Internet service], it's not an issue."

The latest "critical" announcement is a case in point. It describes scenario in which a malicious Web page could execute obscure code that deletes Digital Certificates from a user's computer. These are files containing the keys that allow users to encrypt e-mail (which almost no one does) and more importantly, exchange credit card and other information securely and transparently with e-commerce Web sites.

As it turns out, no one has actually done this. In fact, Microsoft discovered the flaw during a routine internal security audit. So why a "critical" update? Because under Microsoft's standards (clearly spelled out on its security Web site), a critical problem is one that could result in code being executed on a user's computer without the user's intervention.

The critical designation has nothing to do with the likelihood of an attack. In fact, many of the company's security updates describe flaws that have been found by Microsoft employees or security companies who spend their time probing for cracks in the wall.

Seidler says viruses pose a far more serious threat to average users and recommends installing a virus checker and keeping it up to date.

Does this mean you shouldn't pay attention when you get a "critical" update notification? Of course you should. Just realize that the flaws you read about so frequently don't signal the end of computing as we know it.

For the latest Microsoft security bulletins, surf to www.microsoft.com/technet/ and click on Security in the main menu.

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
34°