A matter of trust

I NEVER THOUGHT I'd see the publisher of Windows issue an official document saying, "You shouldn't trust Microsoft."

But that day has arrived. And the behind-the-scenes explanation reveals a lot about Windows and the flaws users are constantly battling.

Our story begins with the software giant's most recent security warning. I don't usually devote a whole column to every weakness Microsoft makes known after being nailed by a white-hat hacker. (There are, after all, only 52 weeks in the year.) But this case cries out for special attention.

For one thing, this particular flaw is especially serious. A PC can be hacked if it merely views a malicious Web page or HTML e-mail. No user action, such as opening an attachment, is required.

The hole affects any system using MDAC (Microsoft Data Access Components) prior to version 2.7. MDAC, which helps Windows download data, and is just about universal. The hole, therefore, threatens many machines running Microsoft's Internet Information Server, every Windows 2000 and Me desktop, and every Windows 9x desktop that's added Internet Explorer 5.x or 6.x.

Systems that are not at risk include Windows XP -- even though it includes IE 6 -- because XP ships with MDAC 2.7. In addition, servers are not vulnerable if Microsoft's IIS Lockdown Tool has been applied. Finally, Windows clients are protected from HTML e-mail attacks if they use Microsoft's Outlook 2002 or Outlook Express 6 (with their default settings) or Outlook 98/2000 with Microsoft's Outlook E-mail Security Update.

All of this, and a patch to update the systems at risk, is explained in the company's 65th security warning this year, MS02-065, at www.microsoft.com/technet/security/bulletin/MS02-065.asp .

Even after being patched, however, many PCs can still be exploited. If you view a tainted site or e-mail, an earlier version of MDAC can be re-installed. If you've ever downloaded an updated Windows component -- and you happened to check the box that says "always trust Microsoft" -- the insecure version of MDAC will install itself without any notice. It can do this because it still has a valid Microsoft digital signature.

This is where "trust" comes in. The Microsoft bulletin says the only way to ward off this attack is to "make sure you have no trusted publishers, including Microsoft." To do this, start IE and click Tools, Internet Options, Content, Publishers, Trusted Publishers. Then remove every company name you find. Sorry, if any new plug-ins arise, you'll now have to decide Yes or No on your own.

In a recent financial statement, Microsoft revealed for the first time that desktop Windows makes a profit margin of more than 85 percent. To put this in personal terms, for every dollar you spent licensing the OS last year, Microsoft spent less than 15 cents on all Windows packaging, marketing, and, oh yeah, improving the product.

Setting aside just 1 cent of each dollar would create a fund of $29 million a year. That'd pay a lot of outside security auditors, don't you think?