Windows Update MS08-037 broke my Internet connectivity today
Today, July 8, 2008, is Patch Tuesday for supported Microsoft operating systems, so I dutifully visited Microsoft Updates manually and installed the DNS patch referred to in this bulletin: Microsoft Security Bulletin MS08-037 – Important: Vulnerabilities in DNS Could Allow Spoofing (953230). This is rated as an "important" patch by Microsoft. Applying this patch is supposed to protect one's PC from DNS spoofing attacks.
However, the patch appears to be overzealous in its implementation. After restarting Windows I was unable to access the Internet whatsoever! I had to use System Restore to rollback to just before I installed this patch, then I was able to get back online and write this article.
I recommend that my readers use caution before installing this patch today. First, be sure you have System Restore turned on. Even then you could wait until tomorrow in case Microsoft discovers the problem and patches the patch!
I don't know if this loss of connectivity was caused by the patch itself, or by a bad interaction with one of my security applications. Therefore, I am going to list my operating system and security program details, in case any of you have a similar setup. This might save you from having to run System Restore, or reinstalling Windows if you have System Restore turned off.
My setup:
OS: Windows XP Professional with Service Pack 3
All previous Windows Updates were installed; I am fully up to date.
No viruses, no spyware, no hostile LSPs are present after multiple scans.
I operate as a Power User, not an Administrator, except to run Windows Updates, install drivers, or uninstall applications requiring administrator privileges.
My security is provided by the following applications:
Avira AntiVir Free current version and up to date (no problems)
Trend Micro Web Protection Add-on v 1.2 (90 day trial - works perfectly)
>> ZoneAlarm Personal Firewall Causes this problem! (See extended comments)
Spybot Search and Destroy 1.5.2, without Tea Timer (no resident module)
Everything returned to normal as soon as I restored my PC to just before I installed Windows Update MS08-037, a.k.a: Kb953230. Knowledge Base article Kb953230 is found here and has a list of known problems that users are experiencing after installing this flawed update. They need to go back to the drawing board with this patch. I recommend that you read the aforementioned article before installing the patch on your computer.
I'll add information as a follow-up, once I learn the exact cause of my loss of Internet connectivity, as relates to patch #MS08-037.
The cause and solution for my loss of Internet connectivity after applying MS patch MS08-037 has been found and is detailed in my extended comments.
Wiz
Take 10% Off 1 year of Trend Micro Internet Security 2009 - Use Coupon Code: TrendIS
Cause of my loss of Internet access after applying Microsoft patch MS08-037
The ZoneAlarm Personal Firewall (v7.0.470.000) is the cause!
It appears that ZoneAlarm's Firewall has a built in detection that catalogs certain system files that have to do with Internet connectivity and if they change it denies them access to the 'net. Normally one would get a pop-up program alert about a change in the file signature, but I got no such alert from this change in the TCP stack. Therefore, I had no chance to allow the change, as one normally can do when a file gets updated. But, I experimented with various program settings and found one that fixed the problem in an instant.
To restore your Internet access after losing it, by applying patch MS08-037, open the ZoneAlarm control center by double-clicking on the "Z" in the System Tray. When the control center opens click on the word "Firewall" on the left, then on the "Main" tab on the right, and lower the "Internet Zone Security" slider from High to Medium. That will instantly fix the connectivity problem, but removes your stealth status, leaving you more at risk than before from TCP attacks. This is more of a problem for people who are directly connected to a broadband or dial-up modem, rather than to a router (or combo modem/router). Computers behind a NAT router (wired or wireless) are already hidden from most hostile TCP probes from the 'Net.
After you reset the "Internet Zone Security" in the ZoneAlarm Personal Firewall to Medium, go ahead and re-install the DNS spoofing patch MS08-037 (Hotfix #951478, via Windows Updates. Be sure you reboot. Unless another security program is watching for and blocking program signature changes, you should be connected again upon entering the Wonderful World of Windows (WWW).
Hopefully, ZoneAlarm will realize that their firewall is causing problems with Windows PCs that are patched against the DSN spoofing attacks and will quickly issue an updated version to cope with this situation.
Spyware Doctor is a multi-award winning spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, Trojans, keyloggers, spybots and tracking threats.
Spyware Doctor is fully capable of detecting and removing hidden processes associated with complex threats and rootkits. Such threats are otherwise difficult to remove by conventional means since they may be hidden to the operating system.
A Startup Scanner removes references to malicious programs that run at startup in the registry and Windows startup files, as well as malicious files in Windows startup locations.
State-of-the-art scanning engines, including file scan, memory scan, registry scan, browser helper objects scan, cookie scan and much more.
