At Your Service (Pack)
By David Shamah, The
This is how it works (I think):
The developers work on putting more and better
features in the next build of Windows, or they might be working on shoring up
the menus in Internet Explorer. As in all development shops, the programmers
sit around for a few minutes each morning drinking coffee and surfing their
favorite sites when they come across news of a new virus report. Then they
check their e-mail; system administrators from five different Fortune 500s
write in describing a new vulnerability they have discovered in their network,
demanding a solution. A week later, the Mobster.viv
virus is big bug news, with networks across the globe being invaded by the
menace which slows traffic down and, when enabled, displays a picture of George
Raft pointing his finger at the user and saying "you dirty rat."
Then, the big security companies, like Symantec and MacAfee,
come out with emergency fixes to deal with the problem, fixes that will be
integrated into the anti-virus programs' next general update. But fixes are
just that temporary methods of blocking the invasion, whether by closing off
the port used by the virus or replacing an infected DLL. But the real solution
can only be supplied in the office by the development tam at Microsoft, which
will determine the section of the proprietary Windows code that allowed the
virus to hook into the system and wreak havoc. The team will analyze the
vulnerability and come up with a security patch that will reinstall a small
section of Windows eventually (after as much as half a year) at your computer
as a "Windows Update."
Windows Updates fix the stuff that the various
project teams in Microsoft overlooked the first time whether they come as a
reaction to security/operation/performance problems uncovered "in the
wild" or in the laboratory. Today, the teams that work on these updates
have their hands full; it seems that nearly every week, a new patch is
released, and as soon as you go on-line with your Windows NT, 2000 or XP
system, that little globey icon in the corner starts
flashing, alerting you to a new update that needs to be installed on your
system to solve or prevent a bug, leak or other performance or security
problem. Updates apply not just to Windows, but to every Microsoft product,
especially the ones that use the Internet, like Internet Explorer and Outlook.
Eventually, when Microsoft puts together enough
Updates, they will assemble them, along with other features (often a new
implementation of an existing tool) into a Service Pack. Service Packs in
general are required updates, in that software is rewritten by manufacturers in
subsequent releases or upgrades to take advantage of the new Microsoft code
implementations. And sometimes, if there are enough Service Packs, Microsoft
will release a whole new version of Windows; Windows 2000 was originally
scheduled at Windows NT Service Pack 5.
The problem with this whole setup is that it's
reactive. One could argue that Microsoft should be able to foresee the same
security gaps that are obvious to a 14 year old virus program writer, but
Windows is a complicated system, obviously beyond the scope of any single
individual to manage effectively. Others would say that lots of these things
could be prevented if the company was a little more forthcoming with Windows
code, but they rightfully fear getting ripped off and they have a right to
defend themselves.
By the time an update gets to our desktop, it comes
at the end of a lengthy process of investigation and testing and often comes
"too late," in the sense that the problem is what supposed to solve
has already been exploited to cause us problems. Updates are automatically sent to our computer,
and they are installed, upon our approval, by Windows Update (which is
obviously scanning our computers in order to determine whether the patches are
installed a security concern in and of itself, if you ask me!)
All this would be merely academic if it were not for
the obvious cost in time and money engendered. I have come across many
corporate systems computer networks that entire companies rely upon that
were not treated with Windows Updates for many months, with the result that
they were eventually affected by whatever affliction the update was supposed to
fix. But even systems where the temporary fixes from the security companies are
not downloaded fast enough are at risk and are often attacked to one degree
or another.
And now comes the big bugaboo for XP users; starting
this week, Windows is releasing is 282 MB mandatory enhancement for XP, Service
Pack 2
(http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx).
The company says that SP2 is going to solve many of the security problems
extant in the system, and will include all sorts of enhancements, including a
built-in pop-up blocker and firewall. Security in SP2 is a priority, not an
afterthought, as many have considered it in Windows until now. Installing SP2
is going to solve many of the problems caused by existing security gaps that
allow in viruses, trojans, and other undesirable
elements.
Sounds good - until you
find out that the new code implementation is going to wreak havoc on dozens of
popular programs, which are not going to work without serious tweaking. The company has published an advanced list
of no fewer than 200 applications that will be affected by the upgrade (who
knows how many more will be discovered in the field!). The list (http://support.microsoft.com/default.aspx?scid=fh;ln;xpsp2swhw)
includes many games, as well as several anti-virus programs (including products
by MacAfee and Norton!), ICQ and AIM, MS Office competitors like WordPerfect
and three versions of Microsoft's own Outlook! \
But remember what we said about "mandatory?"
At some point after the release of XP SP2, Microsoft will be releasing Updates
to new vulnerabilities that will no doubt be discovered but they will only
work on systems running SP2!
So: Let's say you use Adobe Livemotion
2.0 to generate animation and video content. True, Adobe does not support the
product any longer, but it still works perfectly well, as far as you are
concerned. However, if and when you install SP2, it will no longer work
"perfectly well" or at all, according to Microsoft! Your now have
two choices: Either invest money, time and effort in
buying a new program and be protected, or avoid upgrading to SP2 and keep your
system frozen as of August 2004 until the inevitable virus comes in and eats
your system up, in which case Microsoft will say "dont blame us we told
you to upgrade!"
There it is the classic rock and a hard place. So
what do you do? After all, we're talking about the proprietary property of
Microsoft Inc. (read your Window's Users' Agreement sometime it's truly an
eye opener). Ostensibly, Microsoft is the only game in town when it comes to
installing, upgrading and maintaining operating system software.
But I did manage to uncover a third way, one that
will allow you to stay on top of security problems before they happen and
help you avoid SP2 as long as is technically going to be possible. And you can
even do it for free for the next few months! There is a third party company,
called PivX, that distributes automatic Windows
security update patches via a system called Qwik-Fix,
which you can download from http://www.pivx.com/qwikfix.asp. As soon as a
security problem is detected, whether in the PivX
labs or "in the wild," Qwik-Fix
automatically installs a security patch on your system that eliminates the threat!
According to the company, Qwik-Fix was able to help
its users avoid the heartbreak and angst associated with nearly all the major
virus outbreaks of the past several years, like Blaster, whose vulnerability
the company it says it detected long before Microsoft did.
How does Qwik-Fix
"harden" the system if it does not have access to Windows code (the
company is not associated with Microsoft)? The fixes it provides are more along
the lines of the patches associated with anti-virus programs except they
encompass more solutions than anti-virus programs generally address. In
addition, Qwik-Fix will attempt to seal off whole
categories of problem areas based on a single example of security breach, a
process outlined in one of the papers at the companys Web site
(http://www.pivx.com/news_081604.asp).
One other problem with Updates and Service Packs
addressed by Qwik-Fix has to do with compatability issues. The list of programs that are going
to have problems working with XP SP2 is unusually long, but the truth is that
there are smaller scale problems with many smaller scale Windows Updates. And
when rumor of a compatibility problem spreads among users, the reaction is the
same as described above avoid installing the fix unless forced to by the
security problem, or until you can get an upgrade for the affected software.
None of the patches applied by Qwik-Fix
are permanent, however they can all be easily rolled back by the software. Which
gives you the best of all worlds; you get the protection you need, and an
opportunity to see how the security patch (which is likely to be implemented in
a similar manner by Microsoft on a code level) reacts to your software. If
things don't work out, uninstall Qwik-Fix's change
and search for a new strategy to deal with the threat. Either way, you're
covered. Think of Qwik-Fix as that extra medical
insurance they tell you to take out at Kupat Cholim it'll make your life a lot easier, both before XP
SP2 and after!
Qwik-Fix Pro Home Edition is free until October
31, after which it will cost $60 for a single PC license. For
all Windows systems (including 95 and 98).
Send questions/comments to ds@newzgeek.com