While I am not a fan of Microsoft Auto Update due to a little piece of, ahem, semi-spyware it installs, for those who are less technically inclined it still gives you an easy and safe way to ensure your computer is kept up to date. This is extremely important as Microsoft releases updates monthly (more frequently these days) which help prevent hackers and other malcontents from taking advantage of your computer’s generosity.
Degree of Difficulty: 1 (Grandma)
Note: All tips published will have a difficulty rating of 1 (Grandma could do it), 2 (Normal User), 3 (Power User), and 4 (Geeks only).
To access the screen shown above, click on Start, then select Control Panel, and Automatic Updates. Then, select the button titled “Automatic”. You can then choose when you want Windows to download and update your system. Hint: pick a time in the early hours of the morning, when you can leave your computer running overnight. Wednesday at 3:00AM is a good time, as Microsoft routinely releases patches on the second Tuesday of the month.
Most of the time, the update process should be completely transparent to you, and your computer should be ready for you to check your e-mail with the morning coffee. Occasionally however, you may run into an update that requires you to accept a user agreement, or requires a restart of your PC. If this is the case, you’ll see some kind of on-screen notification, usually in the form of one of those little bubbles in the bottom right corner.
MS08-067: The Worms are Loose
For anyone who hasn’t yet heard, last week Microsoft released a critical security bulletin regarding a serious vulnerability in the Server service, affecting nearly every version of Windows. Just today, Sans ISC reported that there is a worm loose in the wild that appears to be exploiting this nasty problem. If you haven’t already patched your personal computers and your servers, do so now.
Cross Site Request Forgery
You know how nice it is that whenever you head back to Amazon.com, it already knows who you are? This is because of a neat feature in web browsers called “Cookies”, which are basically little bits of information that web sites place on your computer. From that point on, every time you visit that site, the cookie is sent along with all the other information your computer uploads to the site, such as what web page you are requesting to view. This allows the site to recognize who you are without requesting you log in. Nice, right?
Well, it turns out that this same feature will allow hackers to essentially back-door a request to your favorite sites, and perform any available action using your cached credentials. Steve Gibson over at Security Now does a nice job explaining the more technical aspects of the problem in episode #166, which aired around two weeks ago, so I’ll leave the details to the experts. Suffice it to say, if Steve says this is a big deal (and he does), you need to pay attention.
Basically speaking, the ways to avoid this are two-fold. First, Gibson recommends actively logging out of any web sites that you aren’t actively using. This would include things like Amazon, E-Bay, and especially sites such as banks or brokers. If you happen to see one of those little “remember me” checkboxes when logging in, leave it blank! This will prevent the problem from occuring in the first place. But because we are all human, and tend to forget to do such things from time to time (present company most definitely included), there’s also a plug-in available for Firefox, called CSRF Protector, which stands for “Cross Site Request Forgery”. It all but transparently blocks this kind of exploit from occurring, so it comes highly recommended.