Tuesday, August 15, 2006

Security Garden "Landscape Maintenance"

Just like working in your garden, you cannot have tunnel vision when it comes to maintaining your computer. If you only maintain one section of your garden, the rest will become overgrown and/or weed infested. The same principle applies to computer maintenance. Having a firewall and updated antivirus are both essential. However, all the parts are only as good as the whole. That was why one of the first topics I addressed when starting this blog was Windows Automatic Updates in "Maintaining the Security Landscape".

Last week's Microsoft Updates continue to draw a lot of attention, with particular regard to MS06-040. It only took the malware writers days to act on the vulnerability of systems unpatched with MS06-040 and roll out the Win32/Graweg IRC-Mocot which exploits the server buffer overflow vulnerability. What's worse about this worm is that it registers itself as the "Windows Genuine Advantage" service and renders the system unstable when attempting to stop or disable the service. (What infected systems will most likely show is wgareg.exe or wgavm.exe in the Windows System Directory.)

The "good news" (if you can call it that) is that, as indicated in
updated Microsoft Security Advisory 922437, as far as Microsoft is aware, Win32/Graweg only affects Windows 2000 machines that have not been patched or had the appropriate ports blocked. Harry Waldron has compiled a thorough synopsis of security information and warnings as well as anti-virus information, in his blog entry on "MS06-040 -- New IRCBot attacks unpatched W/2000 systems".

So, you ask, what does all that business about MS06-040 and W32/Graweg have to do with maintaining your computer? It is like this. How do you know that you received all of the updates? If you use Automatic Updates and leave the driving to Microsoft, were all of the updates installed last Tuesday? This question came up in a forum discussion at LandzDown Forum, "Confirming your Windows Updates". To tie that discussion back to MS06-040, the same topic was addressed in the "Microsoft Security Response Center Blog" entry, "Monday Update on Graweg":
Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal.

As stated in Windows Update, Microsoft Update, and Automatic Updates for IT Professionals:

Windows Update provides high-priority and optional updates for all supported versions of the Windows operating system. Windows Update may be accessed at http://update.microsoft.com. It can also be found via the Windows Start Menu.

Microsoft Update provides all the updates offered by Windows Update, plus high-priority updates for Office and other Microsoft applications. Microsoft Update requires a one-time opt-in process and may be accessed at http://update.microsoft.com/microsoftupdate.

When it comes to critical updates, I like to do a quick check that they have installed on my PC. The fastest way to check is to check for the KB update number in Add/Remove Programs. That information is easily available from the monthly Microsoft Security Bulletin available at the Tech Net Security Center (or blogs like this one). Another option is to open the C:\WINDOWS\WindowsUpdate.log with Notepad and search for the KB number. You should also be able to locate a log for the specific update; i.e., C:\Windows\KB921883.log. One final option is to go to the Windows or Microsoft Update Center and scan your PC for updates. If any of the updates didn't "take" the scan should be able to pick that up.

Although all of those steps are not necessary, sometimes a touch of paranoia isn't such a bad thing when it comes to updates that have been identified as highly critical.

No comments: