February 12, 2009

Does the glitch in .NET patching put you at risk?

Susan Bradley By Susan Bradley

People using Windows XP Service Pack 3 may not be offered all the .NET security patches their applications require.

However, if none of your PC's programs requires a version of .NET Framework, this problem will have no impact on your system.

My Dec. 4 cialis how it works title=”http://windowssecrets.com/links/casamqr63t9zd/a9dbach/?url=www.windowssecrets.com%2F2008%2F12%2F04%2F03-XP-Service-Pack-3-blocks-.NET-security-patches”>Top Story stated that, due to a bug, Windows XP SP3 users aren't being offered security patches for Microsoft's .NET Framework 3.0. I'm publishing this special column today because several of you asked whether your XP SP3 systems are at risk as a result of this glitch.

First I'll give you some background on .NET Framework, and then I'll describe how to tell whether you need to be concerned about the matter.

Microsoft created .NET Framework to provide building blocks for applications. .NET is not a component of Windows itself. I strongly recommend that you avoid downloading .NET until you install an application that requires one, at which time the program will likely install the necessary version for you.

To determine whether you have any versions of .NET Framework installed on an XP PC, open the Add or Remove Programs applet in Control Panel and look for entries reading Microsoft .NET Framework. If you don't see any such entries, you needn't worry about the update failure.

If you do see .NET Framework in the list of currently installed programs, you need to make sure you're receiving all the updates your system requires.

When you open the Microsoft Update service on Windows XP, you'll see buttons labeled Express and Custom on the Welcome screen. Click Custom to see three patching categories under Select by Type in the left pane: High Priority; Software, Optional; and Hardware, Optional.

Microsoft Update's list of optional updates
Figure 1. Clicking the Custom button on Microsoft Update's Welcome screen shows a list of high-priority and optional updates for your PC.

While all three categories can be considered security-related, in reality only the top section lists critical patches. The second section shows optional patches for Windows and your apps; the third lists driver updates.

Always install patches listed in the upper section. You can selectively install patches from the Software, Optional section, but I recommend that you never install driver updates directly from the bottom section. In the past, drivers I've downloaded from Microsoft's update service have caused problems. Instead, go to the vendor's own site and download driver updates from there. And remember: if the device isn't causing any problems, refreshing its driver software may be more trouble than it's worth.

When I tested several XP SP3 systems, the upper section of the update window — which lists critical security patches — looked much the same as it did on XP SP2 machines. However, SP2 and SP3 showed many differences in the middle section listing optional software updates, including those for .NET Framework.

There's a very good reason the updates in the middle section are listed as "optional." Until an application on your system requires .NET Framework to function, don't install any .NET Framework patches.

Microsoft's update service will offer systems running XP SP2 an update to .NET Framework 3.0, but machines using XP SP3 won't see it listed among the optional patches.

Because of this difference — and the fact that .NET installs can fail, as I discussed last week — I urge you to regularly use a third-party software-update service such as Secunia's free online Software Inspector or the company's standalone program, Personal Software Inspector (obtain PSI from its download page), to check the vulnerability of your PC's software.

PSI scans for outdated and vulnerable versions of Sun's Java, Apple's QuickTime, Adobe's Flash and Acrobat, and other common programs that put your system and data at risk if they're not patched. After scanning 20,000 machines in a recent seven-day period, Secunia reported on Dec. 2 that fewer than 2% of the computers were fully patched.

By the way, several readers notified me that they had problems with the Secunia software scanner. I'll investigate these issues and report what I find in a future Patch Watch column.

Here's the bottom line: don't install any .NET Framework patches listed in Microsoft Update's "Software, Optional" section unless you're sure you have the corresponding .NET Framework installed on your system. Any application requiring a specific .NET Framework, such as Intuit's Quickbooks accounting program, will install the necessary version automatically.

Once the Framework is on your machine, install any offered security patches for it, but be prepared for potential installation glitches. Aaron Stebner's .NET Framework cleanup tool (download page) can help you out if a .NET update gets stuck. You may have to uninstall that version of .NET and reinstall it, as described by Alan Crawford in this week's Known Issues column.

Permalink • Print • Comment

Leave a comment

You must be logged in to post a comment.

Made with WordPress and an easy to use WordPress theme • Sky Gold skin by Denis de Bernardy