Microsoft Readies Patches For Windows Vista, IE Bugs

In next week’s Patch Tuesday release, Microsoft will release six bulletins that contain fixes for critical bugs and another three that patch flaws with a top rating of important.

Microsoft announced Thursday that it will be releasing nine security bulletins next Tuesday to patch bugs in Windows Vista, Internet Explorer, and Visual Basic.

In its monthly Security Bulletin Advance Notification, Microsoft announces how many security updates or bulletins will be released the next week, but does not go so far as to say how many vulnerabilities will be patched.

The advisory did note that six of the bulletins will contain fixes for critical bugs and three of them will patch flaws that are given a security risk rating of ‘important’ and under.

Six of the bulletins affect Microsoft Windows. Five of them have a maximum security rating of critical, meaning that at least one of the flaws being fixed is rated as “critical”, and one has a maximum rating of important. One bulletin, which has a maximum rating of important, affects Microsoft’s new and highly touted Windows Vista. That vulnerability could allow remote code execution, according to the advance notification.

One of the bulletins affects Visual Basic, and two affect Internet Explorer. The IE bugs both cause remote code execution. One bulletin, which has a critical security rating, affects Microsoft Office, also enables remote code execution. Other bulletins affect XML Core Services, Office for Mac, Virtual PC and Virtual Server.

In Microsoft’s monthly Patch Tuesday release last month, software company issued six security bulletins, patching 11 vulnerabilities.

Security researchers warned IT managers to patch all of the bugs that were fixed in the July release, but to turn their immediate attention to two vulnerabilities in Active Directory implementations in Windows 2000 Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability research lab at Qualys, called this the most important of the 11 bugs that Microsoft patched last month.

“Vista activation can be bypassed”

 Windows Vista can be run for at least a year without being activated, according to Windows expert Brian Livingston. A single change to Vista’s registry lets users put off the operating system’s product activation requirement by an additional eight times, according to Livingston, who publishes the Windows Secret newsletter. This is five times over the three disclosed last month by him.

In an article, Livingston had revealed earlier that a one-line command lets users postpone Vista activation by up to three times. Since Vista comes with initial 30-day grace period. An extension of additional three times means that users could run Vista for as long as 120 days before they are required to activate the OS. According to him, the one-line command can enable even novices postpone the product’s activation deadline. In fact, Livingston said, with more research it may even be possible to find a way to postpone activation indefinitely.

Though Microsoft had seemingly stayed unconcerned by Livingston’s last month disclosure and flatly stated that using it would not violate the Vista End User License Agreement (EULA), this time the company has labeled the registry change as a “hack.”

 However, Livingston refutes the “hack” charge, saying, “This isn’t a hacker exploit. It doesn’t require any tools or utilities whatsoever.” He also cites that Microsoft has even documented the Registry key, although obtusely, on its Technet site.

Here’s a step-by-step guide into Livingston’s finding:

Step 1: While running a copy of Windows Vista that hasn’t yet been activated, click the Start button, type regedit into the Search box, then press Enter to launch the Registry Editor.

Step 2: Explore down to the following Registry key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SL

Step 3 : Right-click the Registry key named SkipRearm and click Edit. The default is a Dword (a double word or 4 bytes) with a hex value of 00000000. Change this value to any positive integer, such as 00000001, save the change, and close the Registry Editor.

Step 4: Start a command prompt with administrative rights. The fastest way to do this is to click the Start button, enter cmd in the Search box, then press Ctrl+Shift+Enter. If you’re asked for a network username and password, provide the ones that log you into your domain. You may be asked to approve a User Account Control prompt and to provide an administrator password.

 Step 5: Type one of the following two commands and press Enter:slmgr –rearm or rundll32 slc.dll,SLReArmWindows

Either command uses Vista’s built-in Software Licensing Manager (SLMGR) to push the activation deadline out to 30 days after the command is run. Changing SkipRearm from 0 to 1 allows SLMGR to do this an indefinite number of times. Running either command initializes the value of SkipRearm back to 0.

Step 6: Reboot the PC to make the postponement take effect. (After you log in, if you like, you can open a command prompt and run the command slmgr -xpr to see Vista’s new expiration date and time.)

Step 7: To extend the activation deadline of Vista indefinitely, repeat steps 1 through 6 as necessary. Livingston’s also got a caveat for the prospective Vista buyers, “If you happen to buy a Vista PC from a little-known seller, and the price was too good to be true, use Vista’s search function to look for the string SkipRearm in files. You may discover that your “bargain” computer will mysteriously start demanding activation in a year or two — but your product key won’t be valid.”