* via http://theMezz.com/lists

* subscribe at http://techPolice.com

The Great MS Patch Nobody Uses
By Michelle Delio WIRED MAGAZINE
2:00 a.m. Dec. 3, 2001 PST

A free, downloadable update that transforms Microsoft's Outlook into a significantly 
more secure e-mail application has languished virtually ignored on Microsoft's website 
for more than a year.

Although the majority of recent viral attacks have come compliments of worms that 
don't rely only on e-mail to spread, the Outlook E-mail Security Update (OESU) can 
stop or greatly lessen the impact of most malicious code, such as BadTrans and SirCam, 
if only people would download and install it.

 OESU blocks the receipt and transmission of most of the e-mail attachments that 
typically can contain virus or worm code. The update also stops malicious code from 
spreading by blocking unauthorized access to Outlook and its address book. Many 
viruses and worms spread by surreptitiously e-mailing themselves to e-mail addresses 
culled from an infected computer's system files.

OESU was released in June 2000, but fewer than 1 percent of all Outlook users have 
installed the update, according to Microsoft's statistics.

Outlook is the most popular program in the Microsoft Office software suite. As of May 
31, 146 million people owned a licensed copied of Office. Microsoft officials say a 
significant amount of users aren't running licensed copies, so the company estimates 
the actual number of Office users is upwards of 300 million.

So far, there have been roughly only 2 million downloads of the Outlook Email Security 

"Obviously, Microsoft has done a poor marketing job letting people know about the 
Outlook Security update, given those low download numbers," said security expert 
Richard Smith. "Plus the patch is difficult to locate on the Microsoft Office website, 
and the documentation is confusing. One has to be a super-sleuth and rocket scientist 
to locate the right patch file and get it installed properly."

"Microsoft really needs to create a Web page called 'Virus protection in Outlook and 
Outlook Express for mere mortals' that makes it very easy to understand how folks can 
stop e-mail worms," Smith added.

Smith's concerns were confirmed by a test group consisting of a dozen Outlook users 
who were asked to download and install OESU. Nine of the dozen reported problems that 
stopped them from installing the patch.

The upgrade needs the user to access program files on the Microsoft Office CD to 
install. Some users were unable to immediately locate their CD; others said they did 
not receive a full copy of the application with the copy of Office that came 
pre-installed on their computers.

Six of the testers who were able to locate their Office CDs said they were unable to 
find the specific file that the update required to apply the fix.

OESU's installer asks users to locate Office's "data1.msi" file. Four users said that, 
as far as they could tell, the file was not present on their machines or Office CDs. 
Two didn't know if it was present because they got frustrated hunting for it and gave 

"Why isn't the update capable of searching on all connected drives to find the file it 
needs?" tester Helen LaChappelle wondered. "Why do I have to struggle (to) locate the 
file myself?"

Nicole von Kaenel, Product Manager for Microsoft Office, said that while "data1.msi" 
is present on all copies of the Office CD, the file-location problem is caused by OESU 
using "Windows Installer Technology" to apply updates and patches.

"One of the important features of Windows Installer is its 'self-healing' 
capabilities. This helps to ensure that applications remain stable and automatically 
repairs any damaged files that it protects," von Kaenel said.

"To make this happen, it uses the original installation source, either a CD or a 
network share, to check and make sure what's on your system is what should be there. 
But the unintended consequence of this can be the frustration of trying to perform an 
install when the original source isn't available, like not being able to find the CD."

Von Kaenel said that the latest version of Windows Installer (2.0) allows users to 
download and install many updates without having to access the original install 
source. Installer 2.0 is available for NT/2000 and Windows 95/98/ME users.

In an attempt to make finding and installing software updates easier for users, 
Microsoft also recently began providing a "Detection Engine" on the Office Product 
Updates site that scans a user's system for necessary security updates.

Most testers liked the scanner, but some were overwhelmed when presented with a 
recommendation to install, on average, 10 or so updates, many of which also required 
other updates to be installed first.

"Why can't they roll all this stuff up into one nice, complete patch?" tester Steve 
Gorkin asked.

Von Kaenel said the logistics of releasing patches is "definitely a hard problem."

"On one hand, we feel it is necessary to make patches available immediately so that 
users can be protected right away; however, on the other hand, we realize that 
customers prefer to have things rolled into one, easy-to-deliver patch. As a result, 
we release patches as they are available, but it is also customary to take previously 
released patches and include them in the next service pack."

Von Kaenel said OESU was intended to be the "uberpatch" that incorporated many of the 
most critical outlook security updates into one package. But many of the testers said 
Microsoft's scanner suggested that they needed to install up to a dozen Outlook 
patches to be fully protected.

"This is starting to look like a full-time job," said Ed Vincent, a graphics designer. 
"I think I'll just take my chances and pass on doing the updates."

"People are burning out, trying to keep current with the latest 'patch de jour' for 
Microsoft products," said Richard Forno, chief technology officer for Shadowlogic and 
co-author of Incident Response. "An occasional patch here or there is no problem. But 
every other week there's new patches and fixes, often duplicated, that people need to 
install in what I call the 'Game of Perpetual PC Triage.'"

Christopher Budd, security program manager of the Microsoft Security Response Center, 
said that Microsoft is focusing on providing easier ways to both access and download 
updates or patches. Windows XP includes many options for obtaining patches, including 
the option of having patches and updates downloaded and installed automatically, Budd 

"This is an area of constant concern, evaluation and ongoing work to make 
improvements," Budd said. "However, there is always room for more improvement, and we 
are constantly working to make the process and products better."


For a LIMITED TIME, you will receive a no obligation credit
restoration analysis by phone from a reputable credit
professional. DISCOVER options for removing negative marks
from your credit report and improving your credit rating.
To take advantage of this FREE offer, click here now:

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to