September 20, 2002
Window Manager, Brian Livingston
Pick a pack of patches
FRESH NEW SERVICE packs and patches are here for every version of our favorite OS, Windows. In recent weeks, I've screamed and hollered for needed fixes, so listen up now as I sort them all out.
SSL doesn't protect. In a recent column, I reported that SSL, which safeguards your personal data on the Web, has been hackable in Internet Explorer ever since Version 5.0, released in 1999 (see "IE doesn't lock down").
I wrote then that, because IE -- unlike Netscape and some other browsers -- relies on SSL routines found in the OS, every version of Windows would require a different patch.
To its credit, Microsoft posted between Sept. 4 and Sept. 9 a whole series of corrective updates for Windows 98, Me, NT, 2000, and XP. These should be applied immediately by all users, and ecommerce sites should alert customers to this fact. Details of the problem -- and links to the version-specific patches -- are at http://www.microsoft.com/technet/security/bulletin/MS02-050.asp.
That should solve IE's weakness. But as explained in the above document's Caveats section, look for revised patches soon. These will fix a glitch that prevents the installation of some hardware signed with a Microsoft digital certificate.
Besides patching Windows, you must also download and apply fixes if you use Mac versions of Microsoft Office, Outlook Express, and IE.
The Windows 2000 SP3 uproar. In another recent column I wrote that many companies are upset about new license language in SP3 (Service Pack 3) for Windows 2000. The new terms give Microsoft the right to make silent OS changes "that will be automatically downloaded to your computer"(see "Sneaky service packs").
Windows 2000 doesn't auto-download all that much yet. But people are also mad as hell about routine SP3 changes which they clicked OK to.
Echoing readers' cries that I previously printed, Howard Plumley Jr. writes, "SP3 upgrades the Windows Installer to Version 2.0.2600.1. This is incompatible with Data1.msi on the MS Office  CD. I cannot add users because they can't run Office. I can't patch Office because of the requirement to insert the CD to apply patches."
Microsoft already knows about many problems like these, and there are work-arounds. Explanations of this and other SP3 headaches -- and links to Microsoft's prescriptions -- are available at http://www.winnetmag.com/Articles/Index.cfm?ArticleID=26431 and http://www.labmice.net/articles/win2000sp3.htm.
How far does Windows XP go? The new license language in Windows XP's SP1, released to the public on Sept. 9, differs from the beta service pack that I discussed on Aug. 26.
The final text now says you authorize SP1 to install on your computer "technological measures that are designed to prevent unlicensed use." I'm all for stopping mass pirating, but so many questions have been raised about these "measures" that I'll dissect them in detail next week.