At Your Service (Pack)

 

By David Shamah, The Jerusalem Post, August 27, 2004

 

This is how it works (I think):

 

The developers work on putting more and better features in the next build of Windows, or they might be working on shoring up the menus in Internet Explorer. As in all development shops, the programmers sit around for a few minutes each morning drinking coffee and surfing their favorite sites – when they come across news of a new virus report. Then they check their e-mail; system administrators from five different Fortune 500s write in describing a new vulnerability they have discovered in their network, demanding a solution. A week later, the Mobster.viv virus is big bug news, with networks across the globe being invaded by the menace which slows traffic down and, when enabled, displays a picture of George Raft pointing his finger at the user and saying "you dirty rat."

 

Then, the big security companies, like Symantec and MacAfee, come out with emergency fixes to deal with the problem, fixes that will be integrated into the anti-virus programs' next general update. But fixes are just that – temporary methods of blocking the invasion, whether by closing off the port used by the virus or replacing an infected DLL. But the real solution can only be supplied in the office – by the development tam at Microsoft, which will determine the section of the proprietary Windows code that allowed the virus to hook into the system and wreak havoc. The team will analyze the vulnerability and come up with a security patch that will reinstall a small section of Windows – eventually (after as much as half a year) at your computer as a "Windows Update."

 

Windows Updates fix the stuff that the various project teams in Microsoft overlooked the first time – whether they come as a reaction to security/operation/performance problems uncovered "in the wild" or in the laboratory. Today, the teams that work on these updates have their hands full; it seems that nearly every week, a new patch is released, and as soon as you go on-line with your Windows NT, 2000 or XP system, that little globey icon in the corner starts flashing, alerting you to a new update that needs to be installed on your system to solve or prevent a bug, leak or other performance or security problem. Updates apply not just to Windows, but to every Microsoft product, especially the ones that use the Internet, like Internet Explorer and Outlook.

 

Eventually, when Microsoft puts together enough Updates, they will assemble them, along with other features (often a new implementation of an existing tool) into a Service Pack. Service Packs in general are required updates, in that software is rewritten by manufacturers in subsequent releases or upgrades to take advantage of the new Microsoft code implementations. And sometimes, if there are enough Service Packs, Microsoft will release a whole new version of Windows; Windows 2000 was originally scheduled at Windows NT Service Pack 5.

 

The problem with this whole setup is that it's reactive. One could argue that Microsoft should be able to foresee the same security gaps that are obvious to a 14 year old virus program writer, but Windows is a complicated system, obviously beyond the scope of any single individual to manage effectively. Others would say that lots of these things could be prevented if the company was a little more forthcoming with Windows code, but they rightfully fear getting ripped off – and they have a right to defend themselves.

 

By the time an update gets to our desktop, it comes at the end of a lengthy process of investigation and testing – and often comes "too late," in the sense that the problem is what supposed to solve has already been exploited to cause us problems. Updates are  automatically sent to our computer, and they are installed, upon our approval, by Windows Update (which is obviously scanning our computers in order to determine whether the patches are installed – a security concern in and of itself, if you ask me!)

 

All this would be merely academic if it were not for the obvious cost in time and money engendered. I have come across many corporate systems – computer networks that entire companies rely upon – that were not treated with Windows Updates for many months, with the result that they were eventually affected by whatever affliction the update was supposed to fix. But even systems where the temporary fixes from the security companies are not downloaded fast enough are at risk – and are often attacked to one degree or another.

 

And now comes the big bugaboo for XP users; starting this week, Windows is releasing is 282 MB mandatory enhancement for XP, Service Pack 2 (http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx). The company says that SP2 is going to solve many of the security problems extant in the system, and will include all sorts of enhancements, including a built-in pop-up blocker and firewall. Security in SP2 is a priority, not an afterthought, as many have considered it in Windows until now. Installing SP2 is going to solve many of the problems caused by existing security gaps that allow in viruses, trojans, and other undesirable elements.

 

Sounds good - until you find out that the new code implementation is going to wreak havoc on dozens of popular programs, which are not going to work without serious tweaking. The company has published an advanced list of no fewer than 200 applications that will be affected by the upgrade (who knows how many more will be discovered in the field!). The list (http://support.microsoft.com/default.aspx?scid=fh;ln;xpsp2swhw) includes many games, as well as several anti-virus programs (including products by MacAfee and Norton!), ICQ and AIM, MS Office competitors like WordPerfect – and three versions of Microsoft's own Outlook! \

 

But remember what we said about "mandatory?" At some point after the release of XP SP2, Microsoft will be releasing Updates to new vulnerabilities that will no doubt be discovered – but they will only work on systems running SP2!

 

So: Let's say you use Adobe Livemotion 2.0 to generate animation and video content. True, Adobe does not support the product any longer, but it still works perfectly well, as far as you are concerned. However, if and when you install SP2, it will no longer work "perfectly well" – or at all, according to Microsoft! Your now have two choices: Either invest money, time and effort in buying a new program and be protected, or avoid upgrading to SP2 and keep your system frozen as of August 2004 – until the inevitable virus comes in and eats your system up, in which case Microsoft will say "don’t blame us – we told you to upgrade!"

 

There it is – the classic rock and a hard place. So what do you do? After all, we're talking about the proprietary property of Microsoft Inc. (read your Window's Users' Agreement sometime – it's truly an eye opener). Ostensibly, Microsoft is the only game in town when it comes to installing, upgrading and maintaining operating system software.

 

But I did manage to uncover a third way, one that will allow you to stay on top of security problems before they happen – and help you avoid SP2 as long as is technically going to be possible. And you can even do it for free for the next few months! There is a third party company, called PivX, that distributes automatic Windows security update patches via a system called Qwik-Fix, which you can download from http://www.pivx.com/qwikfix.asp. As soon as a security problem is detected, whether in the PivX labs or "in the wild," Qwik-Fix automatically installs a security patch on your system that eliminates the threat! According to the company, Qwik-Fix was able to help its users avoid the heartbreak and angst associated with nearly all the major virus outbreaks of the past several years, like Blaster, whose vulnerability the company it says it detected long before Microsoft did.

 

How does Qwik-Fix "harden" the system if it does not have access to Windows code (the company is not associated with Microsoft)? The fixes it provides are more along the lines of the patches associated with anti-virus programs – except they encompass more solutions than anti-virus programs generally address. In addition, Qwik-Fix will attempt to seal off whole categories of problem areas based on a single example of security breach, a process outlined in one of the papers at the company’s Web site (http://www.pivx.com/news_081604.asp).

 

One other problem with Updates and Service Packs addressed by Qwik-Fix has to do with compatability issues. The list of programs that are going to have problems working with XP SP2 is unusually long, but the truth is that there are smaller scale problems with many smaller scale Windows Updates. And when rumor of a compatibility problem spreads among users, the reaction is the same as described above – avoid installing the fix unless forced to by the security problem, or until you can get an upgrade for the affected software.

 

None of the patches applied by Qwik-Fix are permanent, however – they can all be easily rolled back by the software. Which gives you the best of all worlds; you get the protection you need, and an opportunity to see how the security patch (which is likely to be implemented in a similar manner by Microsoft on a code level) reacts to your software. If things don't work out, uninstall Qwik-Fix's change and search for a new strategy to deal with the threat. Either way, you're covered. Think of Qwik-Fix as that extra medical insurance they tell you to take out at Kupat Cholim – it'll make your life a lot easier, both before XP SP2 and after!

 

Qwik-Fix Pro Home Edition is free until October 31, after which it will cost $60 for a single PC license. For all Windows systems (including 95 and 98).

 

Send questions/comments to ds@newzgeek.com