Network News

X My Profile
View More Activity

Starting From Patch Scratch

I was reminded this week why keeping a Windows-based computer up-to-date on security patches can seem overwhelming for many users.

I recently had to ship my 6-month old HP laptop back to the repair center after the system stopped going into "hibernate" or "standby" modes, meaning that anytime I shut the lid on the laptop while it was unplugged the hard drive kept spinning and draining the battery. A repair of the operating system didn't fix it, nor did backing up the data and completely reinstalling the OS with all of the manufacturer's drivers.

I didn't really expect HP to fix it, but to my delight they did, and had the laptop back to me in record time. When I fired up the laptop, several things became clear: HP had re-installed a factory "image" of Windows XP Home complete with all the trial programs that I normally delete. Immediately, the built-in wireless card connected to the Internet automatically using a neighbor's open wireless access point, and while the system had Microsoft's Service Pack 2 patch bundle installed, the built-in Windows firewall was not turned on.

But the biggest surprise was that this newly-repaired machine was missing Windows patches going back to December 2004. The fact that HP's current image at the repair center lacks patches that far caught me by surprise. In my view, there's no reason why HP cannot update these images once a month so that customers who are already fatigued with trying to fix their machines don't have to spend all day getting their systems current again.

Before I go any further, I'd like to invite anyone who recently bought or sent back for repairs a Windows machine to contact Security Fix via e-mail (or use the comments section of this blog) about the patch levels on those machines after the machine was fixed or opened for the first time. Please include the make and model of the computer if possible. If I get enough responses, I'll post the findings in a future blog post.

Back to my laptop... After turning on the firewall, the fun began: I visited Windows Update, which prompted me to upgrade the "Windows package installer" and install a fairly recent security patch. I reboot. I fire up Internet Explorer and head over to Windows Update again, which now tells me that in order to proceed I need to participate in the Genuine Windows Validation, a program Microsoft uses to tell whether you're running a licensed version of the operating system. "To get updates, you must first validate your Windows software."

I install the software and pass the test. Back to Windows Update. Now the service tells me I need to update my updater from Windows Update to Microsoft Update. I follow the prompts to do that, and again need to reboot. Same drill: Back to Windows Update, and it finds that the laptop needs some 33 patches, weighing in at nearly 30MB. Luckily, I have a fairly fast Internet connection, and the whole package downloads and installs in just under 37 minutes. Then, you guessed it...reboot! (Needless to say, I recorded my own image of the hard drive after doing all of this in case the same problem cropped up again).

I guess if there's a point I'm trying to make here it's this:  While many computer owners grasp the importance of doing this sort of maintenance to a PC, it is easy to see how many less tech-minded Windows users are likely to say, "Ah, the heck with it," when faced with a similar situation. 

Microsoft has made great strides toward simplifying its patch and update services. But the company -- and software makers in general -- have more work to do.

By Brian Krebs  |  October 13, 2005; 9:33 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: License to Hack
Next: Weekend Worm Worries

Comments

Bottomline is you have to treat your computer like you treat your car. You must get the oil changed regularly and take it in for a tuneup every so often, which is the equivalent of keeping up to date on your patches and security software on your PC.

I do agree that PC manufacturers should keep their images up to date on their end. You don't go out and buy a new car with dated safety features. Why should you accept dated security patches from your computer manufacturer? Very sloppy on HP in my opninion.

Posted by: Derick Bayersdorfer | October 13, 2005 9:49 AM | Report abuse

If you're really concerned about security, you should have reinstalled the OS from scratch when you got it back.

You have no control over who had access to your computer while it was at the shop; this is a perfect place for someone to install a trojan.

And if you found the trojan sometime in the future, it's unlikely that you'd trace it back to the repair shop; you'd just assume that it was infected -after- you got it back.

This isn't to imply that the repair folks themselves are untrustworthy, but you're trusting
them and everyone else who might have access to your computer while it's out of your control.

Posted by: Joe Admin | October 13, 2005 10:08 AM | Report abuse

Joe,

Thanks for reading, and for sharing your thoughts. I appreciate your point, but seems like you could make that argument for any computer shipped from a factory.

I already wrote that re-installing with the media they gave me didn't fix the problem. Why should I be at all sanguine that doing so again wouldn't just put me back to square one? Seems to me that at some point you have to take off the tinfoil hat, and get on with things.

At any rate, I think you may have overlooked the point of this post, which was to wag a finger at the computer and software makers for not doing all they can to make this process less painful for their customers.

Posted by: Brian Krebs | October 13, 2005 10:34 AM | Report abuse

Mr. Krebs doesn't mention whether the "hibernate" and "standby" modes now work very well, it at all. My suspicion is that he hasn't had the oportunity to rigorously test the machine for that issue.

I have never found a Windows laptop, XP, or otherwise to "hibernate" or "standby" properly for an extended period of time -- over a year, let's say. After pulling the batteries and resetting almost every laptop that I service in order to get them to boot at all, I now disable the "standby" and "hibernate" functions on new machines. Our employees are told to forget that they ever heard of these supposed features.

Most folks have had negative experiences themselves with these "features" and don't have a problem with disabling these programs.

I don't blame Microsoft engineers, I think that the hardware manufacturers fail to rigorously test their drivers (an understatement, I know...).

Posted by: Mickeysoft | October 13, 2005 11:00 AM | Report abuse

Mr. Krebs doesn't mention whether the "hibernate" and "standby" modes now work very well, if at all. My suspicion is that he hasn't had the oportunity to rigorously test the machine for that issue.

I have never found a Windows laptop, XP, or otherwise to "hibernate" or "standby" properly for an extended period of time -- over a year, let's say. After pulling the batteries and resetting almost every laptop that I service in order to get them to boot at all, I now disable the "standby" and "hibernate" functions on new machines. Our employees are told to forget that they ever heard of these supposed features. They just "shutdown" the machines when they are finished - inconvenient, but a least the thing continues to work.

Most folks have had negative experiences themselves with these "features" and don't have a problem with disabling these programs.

I don't blame Microsoft engineers, I think that the hardware manufacturers fail to rigorously test their drivers (an understatement, I know...).

Posted by: Mickeysoft | October 13, 2005 11:04 AM | Report abuse

Buy a Mac and you don't have to worry about all of the security patches. There are security updates that need to be installed but there are very few compared to Windows. HP is an excellent manufacturer and they are good with tech support but to return your laptop without the patches defeats the purpose of a "clean install" and exposes your laptop to damage once again.

Windows is like Swiss cheese with security and they still can't get it right, although SP2 for XP is a decent update. I like the Mac OS because everything is built-in and you don't have to deal with all of the licensing nonsense. Whether it be digital photos, Bluetooth or music it just works out of the box and it's all included. PC manufacturers don't get this principle.

Mac tech support tells you to back everything up because they will put it back to factory spec if they have to wipe the drive but they always put the latest release with all of the security updates, at least in my experience.

Posted by: Bobby Lea | October 13, 2005 11:16 AM | Report abuse

Mickeysoft,

An oversight on my part: yes, HP fixed the Hibernate/Standby problem. I tested both and they work as they did before this whole thing started.

I usually shut down the laptop when I'm not going to be using it for a while, but it's a pain to have to do that on a moments notice without having to worry whether the laptop will work again in an hour when I reopen it.

Posted by: Brian Krebs | October 13, 2005 11:22 AM | Report abuse

I would love to ditch my PC and switch to Mac but my husband and I are both Govt employees and therefore chained to PCs/Microsoft at work. We bring too much work home to switch back and forth and the conversion programs still have too many glitches.

That said, Microsoft's patch update system is infuriating. For even more torture, try buying Microsoft software from its site. Forced to register for the ultimate in Big Brother - the Microsoft Passport Network - it still took me 8 days and seven calls to help desks around the world before someone figured out the problem (as in, no link to download the software) really was on their end.

Grrr.

Posted by: MacDreams | October 13, 2005 1:12 PM | Report abuse

I'm a network administrator and systems engineer and hold a couple of certifications. But you don't need to be any type of guru to handle your home computer security.

I'm not saying that Microsoft is the perfect vendor, but i would like to offer my spin on being responsible for your computing environment.

A quick visit to Microsoft's website leads you to a link for home users which all kinds of cool and important
info.http://www.microsoft.com/athome/default.mspx

When you fire up you computer for the first time, their wizard runs you through various options which are designed to improve security like automatic updates, firewall, etc. They even have this annoying popup on your system tool bar called security center.

If you have a job and use computers, chances are there is some kind of computer or network support person who can answer questions.

With all of the media frenzy on security and Windows security, or lack thereof, users should take responsibility for these issues and get more information and/or help.

When you buy a new car, you don't neglect to change the oil and provide appropriate maintenance without serious consequences. The same goes for your computer.

Patricia

Posted by: Patricia | October 13, 2005 1:42 PM | Report abuse

I have a 2002 HP pavilion 762n. When Windows XP Service Pack 2 was released, I didn't install it, because HP wouldn't guarantee that it wouldn't "break something". They said that SP2 hadn't been tested on my computer, and that any installation of it was at my own risk.

I have given up on installing Windows updates. I am a home computer user, and don't have an IT department to fix things if an update screws them up. In addition, I have a dial-up Internet connection, so downloading the larger updates isn't practical.

I keep Norton Antivirus and Norton Personal Firewall up to date, and hope that they cover Windows' many holes.

Posted by: John Johnson | October 13, 2005 2:25 PM | Report abuse

I didn't see where you went back one last time to make sure no no more updates were available. Its not as bad as it once was but there may still be prerequisite patches that keep subsequent ones from showing up. I always tell people to keep going back until you see the "no critical updates available" message.

Posted by: gary | October 13, 2005 5:16 PM | Report abuse

Gary,

Maybe I should have said to go back and search for additional updates, but that's not what I did. I lookup the MS knowledgebase descriptions of the patches installed and saw that it had installed up to and including MS05-052, the very last patch MS released - (earlier this week). But you're right of course, the order in which the updater patches things isn't always so linear.

Posted by: Bk | October 13, 2005 5:45 PM | Report abuse

Windows won't even let me in. When I go to validate, I have to be running IE and Outlook. I use Mozilla and Thunderbird so I get no updates for Windows. I think this is wrong since I bought the Windows XP program

Posted by: MJ WYatt | October 14, 2005 12:58 PM | Report abuse

I can't believe the amount of hoops Windows users have to jump through just to have a temporarily secure machine. What a waste of time and productivity. Thank you Apple for OS X. It's a real no-brainer.

Posted by: Jeff | October 14, 2005 1:06 PM | Report abuse

Ohmigod! You die-hard PCers, I don't know how (nor WHY!) you stand it! Get a grip, get a life, GET A MAC!

Posted by: Lane Aldridge | October 14, 2005 3:46 PM | Report abuse

To Macdreams--I use Microsoft Office programs on my Mac, work back and forth with PC users, with no problems.

Posted by: Lane Aldridge | October 14, 2005 3:52 PM | Report abuse

I just ordered Windows XP Pro from BUY.COM because MS charges tax if I order from them. The version I ordered is supposed to have XP2 included. I won't be installing it until Thanksgiving weekend. I'll let you know how many patches it had or didn't have after I do the install. I suspect I will be going through much the same thing you did Brian!

Posted by: dbm1rxb | October 14, 2005 7:18 PM | Report abuse

Nobody has mentioned how many patches you have to install on OS X after you install it. Those patches are also significantly larger on average than Windows patches.

Posted by: Matt | October 15, 2005 7:01 PM | Report abuse

a. missing patches since 12/2004
b. intentionally disabled Windows firewall in SP2
c. automatic Wi-Fi connection to an unknown network

This sort of large-scale incompetence by a major vendor is one reason why malicious hackers, botnets, and other electronic criminals are so pervasive. How many hundreds, if not thousands, of newly vulnerable machines are being shipped by this so-called "repair center"?


As part of the recent layoffs, did HP can the guy who monitored security levels of installed software?

Does HP use the same outdated drive image on new laptops?

Posted by: Ken L | October 15, 2005 10:39 PM | Report abuse

It always makes me wonder why the level of zealatory in the responses from Mac users - without question I use my three PCs with very few problems, cranking out hours of academic and creative digital content - yes Mac people, you can do everything, repeat eveything you do on a Mac on a common and/or garden variety PC. When I was a Mac user (admitedly before Apple went to a flavour of Unix) I was forever plagued by faulty motherboards, memory, drives and system (i.e. OS) issues.
The security with XP is a problem, based on MS insisting on maintaining backdoors to their OS and apps. If they removed all those intrusions, there's be fewer problems for all concerned. However, if I'm an overeducated, under utilised third world IT person (read hacker), who am I going to aim my new nasty at - 90% of the computing world or the other 10%.
It doesn't take a well educated member of the technorati to think that one through.

That being said, I have far fewer problems with everything I do, than my academic/creative counterparts with their sleek, beautifully exteriored Macs. If you think I'm wrong about Apple's focus, ask yourself and answer with a little introspection, not a knee jerk response towards a "Wintel Infidel", how many times has your new powerbook/ipod fail to deliver complete service. The reason why I place harder focus on the Apple range is three fold. 1) The company makes their own devices (as such) so should be able to manage QC more stringently 2)The OS is developed in house (see better internal QC from point 1) and 3)If you pay more for a product you should get something better than just good industrial design, yes?
Are PC manufacturers any better?
Not significantly by any means. My solution is to get my systems assembled to meet my specific needs.

At the end of the day we all need to admit that there is no such thing as a perfect computer system and it really is a case of "User, educate thyself, then take charge".

I think it's fair to say that if you don't know what's under the hood, you'll never get full trouble free performance, whatever the ornament up front looks like.

Posted by: DTVLuke | October 15, 2005 11:59 PM | Report abuse

A (10-14-05) CNET headline is a good example of why I don't install Microsoft patches. The headline is "Critical Windows patch may wreak PC havoc".

Posted by: John Johnson | October 16, 2005 10:55 AM | Report abuse

If anything, that headline is a good reason not to listen to FUD from sensationalist "journalists" who want a snappy headline.

If you were to actually read the KB that Microsoft released about MS05-051, you would see that the problems occur only when the file permissions on a specific directory are changed from their defaults by a user or administrator.

The patch does not change these permissions, and will work just fine if you have not made these changes to your file system permissions.

Posted by: Matt | October 16, 2005 7:05 PM | Report abuse

What can happen is that the service center may have had a number of
replacement drives sitting on the shelf, already imaged with WinXP and ready
to go. They were probably imaged back in 2004 and are missing any patches
after that. That sounds like what may have happened. About all they do at
the service center is swap the drive, see if it boots and possibly eun a
diagnostic program. You're correct in your observation:"I guess if there's a
point I'm trying to make here it's this: While many computer owners grasp
the importance of doing this sort of maintenance to a PC, it is easy to see
how many less tech-minded Windows users are likely to say, "Ah, the heck
with it," when faced with a similar situation."

I work with many users that don't know about Windows patching and some are
even suspicious of it. I'd say as few as 5 percent of users I deal with
would keep up with it on their own. A fresh upatched install of Windows 2000
without a firewall will be infected within minutes of being on the internet
in most situations.

Posted by: Skip Cupit | October 17, 2005 9:17 AM | Report abuse

I recently sent back a client's HP desktop for a warranty motherboard replacement since nothing happened when powering on.. When I got it back they had as you described reinstalled the factory image over the existing data. I had to bring everything back up to date and reinstall every application including office even though they all still lived in the programs folder. I also had to go find all the data of the user profiles hidden away in some obscure places. If you replace an identical motherboard why would they have to touch the HD? My thought in the long run is that I will have to back it up and reinstall clean from a format or this PC will also have odd ghost errors and difficulties in the long run.

Posted by: Joe Lewellen | October 17, 2005 11:27 AM | Report abuse

Your post on security patches caught my eye after this weekend of mine. I recently reformatted the hard drive of my girlfriend's computer and installed Windows XP. I was working with a Pentium 3, 1 GHz, and 384 of RAM on a 1MB DSL connection. Here is the kicker... I was working with a Windows XP SP1 CD from sometime around the summer of 2002 (I think). I did a full reformat and a full install, booting from the CD and repartitioning the whole hard drive (40GB).

First thing I did after the install was complete was to go to Windows update... ironically getting the update to the updater as you mentioned. I worked on updates alone from about 5:30pm to 7:30pm on Saturday and by the time I called it quits to go out for dinner, SP2 hadn't even come up as a download yet. Saturday I worked from 11am - 6:30pm again on the computer. I would say I continued with updates until about 3pm at which point I had finished all the "critical" updates and had also knocked out all the software or driver updates. Then... I installed Office XP (the disc image from about summer 2002 as well). I did a full install of Office so my girlfriend would never find herself confused if she tries to do something on a program and gets a message to insert a disc because of the "standard" yet incomplete install. The first thing I did after the install was to again go to Microsoft Update...and what do you know, a whole new host of "critical" updates were there. The last hour of my evening was spent with non-windows installs like shockwave, real, adobe, flash... the usual suspects.

So to summarize, working off a Windows XP SP1 CD and Office XP CD I spent about 6 hours doing nothing but downloading updates, installing updates and rebooting the computer. I didn't keep track, but I would say I was nearing a half-gig in updates and close to two-dozen reboots throughout all this. I can't imagine how a non-tech-savvy person (like my girlfriend) could have ever tolerated if not even completed everything.

Other minor pet peeves: She had some old Microsoft Works documents (.wps) I backed up to CD that Word from Office XP can't open. There is a "conversion pack" available on the Microsoft website for download so that they can be opened in Word. Still, after a full install and all the updates, you would think Word should by default be able to recognize some of the more typical old document formats, especially one from Microsoft. But no, to open a Microsoft Works .wps file in Microsoft Word you have to look around into the disastrous tech support section of Microsoft (or use the wonders of Google). I managed to frind about 4 different downloads on the Microsoft website that claimed to do what I needed it to do. It makes you wonder why Microsoft would provide four different downloads and not provide any explanation of their difference. In the end, I settled on what appeared to be the most omnibus and complete package of conversion updates to Word. My point is, this is another task someone of basic computer skills would have never been able to figure out. They would just have been frustrated about not being able to open old files.

Posted by: Connor | October 17, 2005 2:38 PM | Report abuse

While i understand the zealotry of the Macintosh OSX camp, the security problem lies not with the PC (Intel architecture) as such, it is with the "standard" PC operating system, read: Microsoft Windows. Soon, practically all mass-market personal computers (Macs too) will run on Intel CPUs, so the significant difference between the PC and the Mac will be the OS, which is open-source BSD Unix with the patented Macintosh GUI.
Linuxers rejoice!

Posted by: quincy | October 18, 2005 11:13 AM | Report abuse

Wow, lot of posts..

I have a PC purchased from Dell and it came preinstalled with XP Pro. Apparently Dell uses a single "lot key" for all PCs installed in their manufacturing process.

Microsoft Genuine Advantage doesn't honor these and turns me down to all non-security updates. After endlessly searching Microsofts' site to no avail, I ended up at Dell and found that this is a common problem.

The solution was simple. Reinstall with the MS license key purchased which ships with the machine (although not used to install the factory image).

This really sucks. I don't particularly want to reinstall all my apps. I went to great pains installing and locking this box down.

I suppose I shouldn't be surprised.. If Microsoft were a cancer, it would definitely be in some way anal.

Posted by: Solomon Grundy | October 18, 2005 4:37 PM | Report abuse

Okay, you have a fast connection to the Internet. I should add that just makes it possible for the worms to pummel you even faster. But that isn't the point. There are several problems I see here.

[1] MS Windows still does not have a protected file system. This and the fact it has significant market share are why it is targeted by virus / worm writers. They reason the virus writers do NOT try for Linux / Unix / Mac systems is because they have protected file systems. Yes, you can attrib +r or attrib +h, and with the advent of XP effect a privacy setting, but that is far cry from me working on the 'nix systems. I can NOT go write files all over the place, especially in system areas without permission (you need to be the administrator user). How Cutler could have got the file system so wrong coming from OpenVMS which has even tighter file permissions than Unix systems (for example you can give a user write access to a file but deny them the right to delete it or vice versa) is one of the mysteries of the Universe.

[2] There MUST be some other method other than always downloading the patches. Wouldn't it be nice to download all of those patches and KEEP THEM AND WRITE THEM TO A CD? Or better yet, a distribution channel set up so you can get them on pristine pre-written CDs? That way when you updated you would just apply the patches you already had from the CD. That is a lot faster and less error prone than repeated downloads over the Internet - your connection goes down so now what do you do?

[3] With the new and improved updatting process, one of the machines I took care of for somebody else is probably sitting there with the NEW AND IMPROVED nVidia VIDEO DRIVERS THAT ARE TWO YEARS OLDER THAN THE ONES THE VIDEO BOARD MANUFACTURER SUPPLIED. Before then I could just tell the updater to leave the video driver alone. I have no idea whether it installed it without asking for permission. So please don't tell me it is just the vendors making mistakes. Microsoft with its sticky fingers all over your machines, backdoors up the yazoo, and a flawed method for updating (AND PREVENTING YOU FROM KEEPING THE UPDATES AND WRITING THEM TO A CID IN CASE YOU HAVE TO DO A REINSTALL OF THE OS) their Operating Systems is a significant portion of the problem. I DO FAULT THEIR ENGINEERS, ESPECIALLY DAVID CUTLER! For that matter, the OS IS MICROSOFT'S, not Dell's, HP's, or who have you. Micrsoft should supply an updated install image to the OEM vendor every time they provide a significant amunt of patches. You can NOT expect a Dell technician to take that 1-1/2 hours to apply the patches AFTER an install of the OS. THat costs them several hundred dollars, and the margins on Wintel machines is fairly slim. So I hold Microsoft responsible for a lot of the problems.

[3] The biggest problem I see with your hardware vendor was not turning the minimal firewall one. That is unpardonable.

In summary, some safe way of saving the patches (provide MD5 checksums and tell the users how to use the md5sum program to check that the update has NOT been tampered with) so if you have to reapply them would go a long way to solve the problem. Even vendors would be able to do things better, and you wouldn't have your machine being pummeled by the Internet worms while it is doing Microsoft updates. Oh, I forgot to mention that before you even connected to the Internet, you should have replaced the XP firewall with a better firewall. You are getting no recommendations from me because if you are using dial-up you need something totally different than a broadband connection needs. For the former you need both PORT and APP type protection. For the latter you need an APP based firewall on the machine, AND A DEDICATED HARDWARE FIREWALL (port oriented) sitting in front of the machine. You should also have your minimal virus protection in place. The first thing I would update would be the virus database, the software firewall, and then Microsoft UNLESS YOU HAVE MICROSOFT PATCHES ON A READ ONLY MEDIUM LIKE A CD. In that case I would do Microsoft patches first BEFORE I even connected to the Internet, and BEFORE both the firewall and the AV package were installed.

Oh, I forgot to add the spyware stuff. That to.
The vendor doesn't have time for that either, and Microsoft bought one of the biggest spies in the business this year (2005). So much for help from them, vis-a-vis that spy.

Posted by: Henry Hertz Hobbit | October 22, 2005 12:50 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company