I’ve been writing about PCs for more than 20 years. So you’d think I’d have this technical stuff down pat. But as I research Microsoft Corp. security flaws month after month, I often scratch my head trying to figure out what the company’s bulletins really mean.
Microsoft offers you two ways to learn about each newly discovered security flaw through its bulletin summaries: You can read the end-user version or the technical version. (Microsoft recently reorganized the way that it presents patch information; see last month’s Bugs and Fixes for details.) Unfortunately, the consumer bulletins tend to be so dumbed-down that their explanations are virtually useless. Conversely, the technical bulletins are unduly complex in some places and intentionally vague in others. Microsoft says it doesn’t want to reveal any information that will help the bad guys create trouble.
For an example of a Microsoft consumer bulletin, head to Microsoft TechNet, select one of the summary links, and click the End User version link. The insight that these bulletins provide amounts to: “Product Y has a flaw; click here to fix.”
To plunge into the full technical spiel, click the Get More Technical Details link. On the separate page that appears, click the plus sign beside Technical Details for the nitty-gritty. These bulletins tend to use language that only a Microsoft programmer could love. Heck, even some of the titles are obscure: Just try getting your head around ‘Heap Algorithm Update for Atypically Large Heap Requests’.
So how about it, Microsoft? We would like to hear about the major technical issues in language that we can understand, even though we don’t write code for a living.
My advice to readers is to use Windows Update to select the critical updates you need to install. Ignore the end-user bulletins, and scan the technical details to learn whether your machine is vulnerable.
For more helpful descriptions of the most serious Windows flaws, pay a visit to CERT, EEye Digital Security, Grey Magic Software, and the SANS Institute. And find out the latest on Windows and Office holes by consulting Woody’s Watch.
Microsoft recently announced that it will disable the Messenger Service by default in Windows XP Service Pack 2, which is due out in the first half of 2004. Miscreants are using the Messenger Service, a feature in Windows XP and 2000, to cause spam ads to pop up on users’ screens (your browser doesn’t have to be running for this to happen). The vulnerability could also be used to spread viruses if you haven’t installed a particular patch (numbered 828035). Visit Microsoft Security Bulletin MS03-043 for a link to this fix.
The Messenger Service isn’t related to XP’s Windows Messenger or to MSN Messenger, the popular IM client. It’s typically used in corporate networking environments. Rather than waiting for SP2, if you’re battling spam ads, go to Microsoft’s instructions on how to turn off the service.