Microsoft responds on patches to Windows users
By Dennis O'Reilly
Conficker is a nasty worm whose design demonstrates a level of sophistication beyond that of your everyday, run-of-the-mill malware.
Fortunately for those of us who keep our Windows systems up-to-date, the odds of being infected with Conficker are minuscule.
WS editorial director Brian Livingston prepared a news update on Conficker that was published March 30. He cited figures from security firm SRI International showing that 54% of machines infected with the worm are in China, Russia, India, Brazil, and Argentina. Many people in those countries have been sold unlicensed copies of Windows and, for whatever reason (as discussed below), don't receive Windows updates, leaving their machines vulnerable.
To be on the safe side, you can test for and remove the worm by using the directions in Brian's article. If you didn't scan for the worm before April 1, don't worry too much. That's merely the date on which infected systems were scheduled to start checking various Web servers for further instructions. Security analysts don't expect the worm to do any significant damage immediately.
By the way, our news update received the third-highest rating of any WS story in the past 12 months — 4.42 out of a possible 5 points, according to more than 1,000 readers who voted in our poll. Bravo, Brian!
After Brian's Conficker piece appeared, Microsoft spokeswoman Jill Lovato wrote to say one of his points was inaccurate:
"I just saw your post, 'Run a Conficker removal tool before April 1,' and wanted to clarify a few things I think you may have been confused about.
"In the first section, you say:
Microsoft doesn't provide all its patches to unlicensed copies of Windows, leaving the vulnerable machines free to attack us — a self-defeating policy recently described by security expert Bruce Schneier.
"This is actually not accurate — Microsoft issues security fixes via Windows Update to all Windows systems, regardless of whether or not that system is genuine.
"Also, the information you reference from Schneier is from 2005 and is no longer accurate. Here is a TechNet article that addresses Conficker and gives details on how PC users can protect themselves."
Brian provides the following response:
"It's ridiculous to say that Microsoft provides all security updates to Windows users, whether or not they pass Windows Genuine Advantage (WGA) validation. No, Microsoft doesn't.
"First of all, a system that fails WGA is restricted in using Microsoft's update and download sites, as described in the Genuine Microsoft Software FAQ:
Q: How does WGA validation work?
A: ... Upon their first visit to the Microsoft Download Center, Windows Update, or Microsoft Update, users will receive a message requiring them to validate their Windows.
"WGA has a reputation for rating some PCs as unlicensed when in fact they're completely legitimate. For this reason, many people exit Windows Update at this point and turn off Automatic Updates (if it was enabled) rather than risk disabling their expensive computers.
"WGA's bad rep comes from Microsoft's own policies. The original version of Windows Vista includes a 'kill switch' (officially called 'reduced functionality mode'), which is triggered in certain conditions.
"Under some conditions — such as if WGA validation fails — the Start menu and desktop icons are hidden, and nothing works except the default browser (so users can buy another license). After 60 minutes, the machine is completely logged off, as explained in a Computerworld article and its continuation. This punitive policy was not changed until Vista Service Pack 1 appeared.
"According to an Ars Technica analysis in January 2007, a minimum of five million users worldwide, and probably millions more, have received false 'nongenuine' ratings from WGA. As a result, Microsoft has lost many consumers' faith in the auto-update process, because people hear tales that using Windows Update can cripple a PC.
"If a user doesn't pass WGA validation or doesn't wish to risk testing for it, Microsoft does not permit all security updates to be installed. Only those updates that Microsoft rates as "Critical" are presented. This is explained by Microsoft in its Description of Windows Genuine Advantage (emphasis added):
If you have a genuine copy of Windows but decide not to complete the validation process, you can still obtain CRITICAL software updates by using the Automatic Updates feature.
"The trick is that many security updates are rated by Microsoft as only 'Important' or 'Moderate.' But these updates can be just as essential to users as ones rated 'Critical,' because the ratings are often questionable.
"For example, the WGA download itself, titled KB905474, was described as a 'critical security update' from the first day it appeared in 2006, despite the fact that WGA is a marketing effort, not a security update at all.
"In addition, users who fail or never attempt WGA validation are restricted by Microsoft from receiving security software other than patches. For example, validation is required to use the download page for Windows Defender, a free security program. Microsoft says this app protects PCs against 'security threats caused by spyware and other potentially unwanted software.' The download page clearly states:
This download is available to customers running genuine Microsoft Windows ... Windows Vista users must pass Microsoft Genuine validation requirements ...
"Regarding Bruce Schneier, I searched his site and didn't find any sign that he's changed his view of Windows Genuine Advantage since his last post on the subject.
"Finally, linking to Microsoft's TechNet article, which recommends running the Malicious Software Removal Tool (MSRT) to eliminate Conficker, is pointless. As I reported, Microsoft's own Malware Protection Center stated on March 27 only that MSRT removes Conficker versions A and B. There's nothing about MSRT removing the latest Conficker builds (variously described as C or D).
"After I wrote that, a Microsoft source, whom I can't identify, has said variants later than B could be detected if MSRT's mrt.exe file is first renamed. Otherwise, Conficker kills the process. Most end users would never think of this, so MSRT for now should not be considered an up-to-date solution.
"I didn't say Microsoft doesn't permit non-WGA users to get any security patches. I wrote, 'Microsoft doesn't provide all its patches to unlicensed copies of Windows.' It's certainly true that the company doesn't provide all its security patches, much less all its various patches, to people who don't run WGA validation. I stand by this statement.
"I urge Microsoft to immediately start delivering all updates — of every kind — to users who are running any copy of Windows, whether or not it validates. Pirate profiteers should be thrown in jail, and Microsoft has a right to prosecute them. But our legitimate computers are the ones that unpatched users' computers attack. Microsoft has no excuse for not updating every system."
windowssecrets.com |
